Bug 455209 - DoS in the Xrender Extension's Trapezoid Drawing Routines
DoS in the Xrender Extension's Trapezoid Drawing Routines
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: xorg-x11-server (Show other bugs)
8
All Linux
low Severity high
: ---
: ---
Assigned To: Adam Jackson
Fedora Extras Quality Assurance
http://www.rapid7.com/advisories/R7-0...
: Patch
: 443234 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-13 22:56 EDT by Juliano F. Ravasi
Modified: 2008-07-30 16:05 EDT (History)
3 users (show)

See Also:
Fixed In Version: xorg-x11-server-1.3.0.0-47.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-28 17:57:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Juliano F. Ravasi 2008-07-13 22:56:15 EDT
XRender trapezoid drawing routines are broken in xorg-server 1.3.0, and causes
X.org crashes. They can be used as a vector for Denial-of-Service attacks, as
described in the following advisories:

http://www.rapid7.com/advisories/R7-0027.jsp
http://xforce.iss.net/xforce/xfdb/33976

The advisories say that xorg-server 1.3.1, that would presumably have been
relased Apr 30, 2007, fixed this. No such release was made to date, and current
git server-1.3-branch tree doesn't include the fix.

This is likely the cause of the following bugs:

Bug 443234 - X Server Crash with Firefox 3 Beta 5
Bug 448586 - Firefox 3 crashes Xorg at picture.c:1600
Bug 453607 - specific webpage in firefox crashes X

All these bugs have backtraces pointing to the trapezoid rendering functions
mentioned in the advisory.

The actual fix for this problem seems to be commit
047bf3349bb697c73c95729a8bbf15f72605901f of the xorg/server git tree, which is
not yet ported to server-1.3-branch.
http://gitweb.freedesktop.org/?p=xorg/xserver.git;a=commit;h=047bf3349bb697c73c95729a8bbf15f72605901f

Possible solutions include:
1. Request upstream to port the fix to server-1.3-branch, then release an
updated package; or
2. backport the needed patches to fix this problem in current Fedora 8, RHEL 5.2.
Comment 1 Matěj Cepl 2008-07-15 12:46:13 EDT
Looks interesting
Comment 2 Matěj Cepl 2008-07-15 12:46:27 EDT
*** Bug 443234 has been marked as a duplicate of this bug. ***
Comment 3 Matěj Cepl 2008-07-15 12:47:21 EDT
*** Bug 453607 has been marked as a duplicate of this bug. ***
Comment 4 Fedora Update System 2008-07-24 11:58:13 EDT
xorg-x11-server-1.3.0.0-47.fc8 has been submitted as an update for Fedora 8
Comment 5 Juliano F. Ravasi 2008-07-26 17:55:14 EDT
(In reply to comment #4)
> xorg-x11-server-1.3.0.0-47.fc8 has been submitted as an update for Fedora 8

Tested, it successfully fixed the Xorg crashes.
Thanks!
Comment 6 Matěj Cepl 2008-07-28 17:57:33 EDT
Thanks for letting us know.
Comment 7 Fedora Update System 2008-07-30 16:05:16 EDT
xorg-x11-server-1.3.0.0-47.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.