Bug 455209 - DoS in the Xrender Extension's Trapezoid Drawing Routines
Summary: DoS in the Xrender Extension's Trapezoid Drawing Routines
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: xorg-x11-server
Version: 8
Hardware: All
OS: Linux
low
high
Target Milestone: ---
Assignee: Adam Jackson
QA Contact: Fedora Extras Quality Assurance
URL: http://www.rapid7.com/advisories/R7-0...
Whiteboard:
: 443234 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-07-14 02:56 UTC by Juliano F. Ravasi
Modified: 2018-04-11 11:28 UTC (History)
4 users (show)

Fixed In Version: xorg-x11-server-1.3.0.0-47.fc8
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-28 21:57:33 UTC
Type: ---


Attachments (Terms of Use)

Description Juliano F. Ravasi 2008-07-14 02:56:15 UTC
XRender trapezoid drawing routines are broken in xorg-server 1.3.0, and causes
X.org crashes. They can be used as a vector for Denial-of-Service attacks, as
described in the following advisories:

http://www.rapid7.com/advisories/R7-0027.jsp
http://xforce.iss.net/xforce/xfdb/33976

The advisories say that xorg-server 1.3.1, that would presumably have been
relased Apr 30, 2007, fixed this. No such release was made to date, and current
git server-1.3-branch tree doesn't include the fix.

This is likely the cause of the following bugs:

Bug 443234 - X Server Crash with Firefox 3 Beta 5
Bug 448586 - Firefox 3 crashes Xorg at picture.c:1600
Bug 453607 - specific webpage in firefox crashes X

All these bugs have backtraces pointing to the trapezoid rendering functions
mentioned in the advisory.

The actual fix for this problem seems to be commit
047bf3349bb697c73c95729a8bbf15f72605901f of the xorg/server git tree, which is
not yet ported to server-1.3-branch.
http://gitweb.freedesktop.org/?p=xorg/xserver.git;a=commit;h=047bf3349bb697c73c95729a8bbf15f72605901f

Possible solutions include:
1. Request upstream to port the fix to server-1.3-branch, then release an
updated package; or
2. backport the needed patches to fix this problem in current Fedora 8, RHEL 5.2.

Comment 1 Matěj Cepl 2008-07-15 16:46:13 UTC
Looks interesting

Comment 2 Matěj Cepl 2008-07-15 16:46:27 UTC
*** Bug 443234 has been marked as a duplicate of this bug. ***

Comment 3 Matěj Cepl 2008-07-15 16:47:21 UTC
*** Bug 453607 has been marked as a duplicate of this bug. ***

Comment 4 Fedora Update System 2008-07-24 15:58:13 UTC
xorg-x11-server-1.3.0.0-47.fc8 has been submitted as an update for Fedora 8

Comment 5 Juliano F. Ravasi 2008-07-26 21:55:14 UTC
(In reply to comment #4)
> xorg-x11-server-1.3.0.0-47.fc8 has been submitted as an update for Fedora 8

Tested, it successfully fixed the Xorg crashes.
Thanks!

Comment 6 Matěj Cepl 2008-07-28 21:57:33 UTC
Thanks for letting us know.

Comment 7 Fedora Update System 2008-07-30 20:05:16 UTC
xorg-x11-server-1.3.0.0-47.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.