To: bugtraq@securityfocus.com
Subject: [ MDKSA-2007:080 ] - Updated tightvnc packages fix integer overflow vulnerabilities
Date: Wed, 04 Apr 2007 17:29:54 -0600
From: security@mandriva.com
Reply-To: <xsecurity@mandriva.com.>
Message-Id: <E1HZEvK-0006Yt-4N@artemis.annvix.ca.>
Sender: QA Team <qateam@artemis.annvix.ca.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDKSA-2007:080
http://www.mandriva.com/security/
_______________________________________________________________________
Package : tightvnc
Date : April 4, 2007
Affected: 2007.0, Corporate 3.0, Corporate 4.0
_______________________________________________________________________
Problem Description:
Local exploitation of a memory corruption vulnerability in the X.Org
and XFree86 X server could allow an attacker to execute arbitrary code
with privileges of the X server, typically root.
The vulnerability exists in the ProcXCMiscGetXIDList() function in the
XC-MISC extension. This request is used to determine what resource IDs
are available for use. This function contains two vulnerabilities,
both result in memory corruption of either the stack or heap. The
ALLOCATE_LOCAL() macro used by this function allocates memory on the
stack using alloca() on systems where alloca() is present, or using
the heap otherwise. The handler function takes a user provided value,
multiplies it, and then passes it to the above macro. This results in
both an integer overflow vulnerability, and an alloca() stack pointer
shifting vulnerability. Both can be exploited to execute arbitrary
code. (CVE-2007-1003)
iDefense reported two integer overflows in the way X.org handled
various font files. A malicious local user could exploit these issues
to potentially execute arbitrary code with the privileges of the X.org
server. (CVE-2007-1351, CVE-2007-1352)
TightVNC uses some of the same code base as Xorg, and has the same
vulnerable code.
Updated packages are patched to address these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1003http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1351http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1352
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2007.0:
68955a65584a1c964141aa1d0e44f7e0 2007.0/i586/tightvnc-1.2.9-13.2mdv2007.0.i586.rpm
9928944d22067747b5427a15ab59c853 2007.0/i586/tightvnc-doc-1.2.9-13.2mdv2007.0.i586.rpm
9a6643c4c00c3d758a204e1b46969914 2007.0/i586/tightvnc-server-1.2.9-13.2mdv2007.0.i586.rpm
0a4abe1c964ed13e3d445efc0c1dd244 2007.0/SRPMS/tightvnc-1.2.9-13.2mdv2007.0.src.rpm
Mandriva Linux 2007.0/X86_64:
700ed069013c7cfef989263344e41dd0 2007.0/x86_64/tightvnc-1.2.9-13.2mdv2007.0.x86_64.rpm
8a8c9a1721c9521d2224da5b73ddaf76 2007.0/x86_64/tightvnc-doc-1.2.9-13.2mdv2007.0.x86_64.rpm
7a6402ace347731a1ae8722d80a75638 2007.0/x86_64/tightvnc-server-1.2.9-13.2mdv2007.0.x86_64.rpm
0a4abe1c964ed13e3d445efc0c1dd244 2007.0/SRPMS/tightvnc-1.2.9-13.2mdv2007.0.src.rpm
Corporate 3.0:
65109fe6bab801e11e503b60b308643b corporate/3.0/i586/tightvnc-1.2.9-2.2.C30mdk.i586.rpm
3b08614f635cd9cf8b68d7c76d30b345 corporate/3.0/i586/tightvnc-doc-1.2.9-2.2.C30mdk.i586.rpm
0e61567902f05149ac4f08e64953febf corporate/3.0/i586/tightvnc-server-1.2.9-2.2.C30mdk.i586.rpm
e019fb72dce33e1dbf2e6f7a3bdcb384 corporate/3.0/SRPMS/tightvnc-1.2.9-2.2.C30mdk.src.rpm
Corporate 3.0/X86_64:
ef2e7129cf59e0dbdbf783ebbefb7e43 corporate/3.0/x86_64/tightvnc-1.2.9-2.2.C30mdk.x86_64.rpm
cdd378ae7999c118a7dfafd0c67cc674 corporate/3.0/x86_64/tightvnc-doc-1.2.9-2.2.C30mdk.x86_64.rpm
e30948128bc10c8aacc06694d986b1fa corporate/3.0/x86_64/tightvnc-server-1.2.9-2.2.C30mdk.x86_64.rpm
e019fb72dce33e1dbf2e6f7a3bdcb384 corporate/3.0/SRPMS/tightvnc-1.2.9-2.2.C30mdk.src.rpm
Corporate 4.0:
173bc482a466816a6b0c5a8b5568b8ef corporate/4.0/i586/tightvnc-1.2.9-6.2.20060mlcs4.i586.rpm
5b274d7ac4cd7758411ddbafc885209e corporate/4.0/i586/tightvnc-doc-1.2.9-6.2.20060mlcs4.i586.rpm
41fe3f9509d09eaa69f915afb348fee0 corporate/4.0/i586/tightvnc-server-1.2.9-6.2.20060mlcs4.i586.rpm
2651d5941592eba01e6acf47382d9cae corporate/4.0/SRPMS/tightvnc-1.2.9-6.2.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
e1aef1895d0bbbc24690e778ec848d74 corporate/4.0/x86_64/tightvnc-1.2.9-6.2.20060mlcs4.x86_64.rpm
54537c7aa36eff300a96daac296af9ed corporate/4.0/x86_64/tightvnc-doc-1.2.9-6.2.20060mlcs4.x86_64.rpm
342dc521a4cf33fdf775f0c13191a552 corporate/4.0/x86_64/tightvnc-server-1.2.9-6.2.20060mlcs4.x86_64.rpm
2651d5941592eba01e6acf47382d9cae corporate/4.0/SRPMS/tightvnc-1.2.9-6.2.20060mlcs4.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iD8DBQFGFAq/mqjQ0CJFipgRAj8sAJ4vSrorVltrR5rKS/zYQiIc+yCcOQCg6w/U
0mmtsrU6dswWhOkGZYR+hJo=
=VPgW
-----END PGP SIGNATURE-----
