## page was renamed from SecurityPage = Security Advisories = This page details security issues that have been found in X.Org, and their remedies. Please contact <> to report security issues in the X.Org codebase. == X.Org 7.6 == * Jan 19, 2012 - vulnerability in default keyboard maps: * CVE-2012-0064: It is possible to bypass a screen locking application when displayed on Xorg 1.11 or later by using the input grab killing keystrokes, which were enabled by default. The fix was included in [[http://lists.x.org/archives/xorg-announce/2012-January/001797.html|xkeyboard-config 2.5]] to not enable those key mappings unless requested. Please see [[http://who-t.blogspot.com/2012/01/xkb-breaking-grabs-cve-2012-0064.html]] for more information. * Oct 18, 2011 - 2 vulnerabilities related to X server lock files: * CVE-2011-4028: File disclosure vulnerability: It is possible to deduce if a file exists or not by exploiting the way that Xorg creates its lock files. * CVE-2011-4029: File permission change vulnerability: It is possible for a non-root user to set the permissions for all users on any file or directory to 444, giving unwanted read access or causing denies of service (by removing execute permission). This is caused by a race between creating the lock file and setting its access modes. Please see [[http://lists.freedesktop.org/archives/xorg-announce/2011-October/001744.html|the advisory]] for more information. Patches are available: [[http://cgit.freedesktop.org/xorg/xserver/commit/?id=6ba44b91e37622ef8c146d8f2ac92d708a18ed34|CVE-2011-4028]] [[http://cgit.freedesktop.org/xorg/xserver/commit/?id=b67581cf825940fdf52bf2e0af4330e695d724a4|CVE-2011-4029]] Fixes are included in [[http://lists.x.org/archives/xorg-announce/2011-October/001747.html|xserver 1.11.2RC2]] and later. * Aug 10, 2011 - CVE-2011-2895: A specially crafted LZW compressed font file may be used by a user who can connect to the X server to overflow a buffer in the X server, possibly leading to a local privilege escalation. Please see [[http://lists.freedesktop.org/archives/xorg-announce/2011-August/001721.html|the advisory]] for more information. Patch is available: [[http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d11ee5886e9d9ec610051a206b135a4cdc1e09a0|CVE-2011-2895]] Fix is included in [[http://lists.freedesktop.org/archives/xorg-announce/2011-August/001722.html|libXfont 1.4.4]] and later. * Apr 5, 2011 - CVE-2011-0465: By crafting hostnames with shell escape characters, arbitrary commands can be executed in a root environment when a display manager reads in the resource database via xrdb. Please see [[http://lists.freedesktop.org/archives/xorg-announce/2011-April/001636.html|the advisory]] for more information. Patch is available: [[http://cgit.freedesktop.org/xorg/app/xrdb/patch/?id=1027d5df07398c1507fb1fe3a9981aa6b4bc3a56|CVE-2011-0465]] == X.Org 7.3 == * Jun 11, 2008 - CVE-2008-1377, CVE-2008-1379, CVE-2008-2360, CVE-2008-2361, CVE-2008-2362: Several vulnerabilities have been found in the server-side code of some extensions in the X Window System. Improper validation of client-provided data can cause data corruption. Please see [[http://lists.freedesktop.org/archives/xorg-announce/2008-June/000578.html|the advisory]] for more information. Patches are available: [[ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-cve-2008-1377.diff|CVE-2008-1377]] [[ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-cve-2008-1379.diff|CVE-2008-1379]] [[ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-cve-2008-2360.diff|CVE-2008-2360]] [[ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-cve-2008-2361.diff|CVE-2008-2361]] [[ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-cve-2008-2362.diff|CVE-2008-2362]] * Jan 17, 2008 - CVE-2007-5760, CVE-2007-5958, CVE-2007-6427, CVE-2007-6428, CVE-2007-6429, CVE-2008-0006: Several vulnerabilities have been identified in server code of the X window system caused by lack of proper input validation on user controlled data in various parts of the software, causing various kinds of overflows. Please see [[http://lists.freedesktop.org/archives/xorg-announce/2008-January/000441.html|the advisory]] for more information. Patches are available for X11R7.2 [[http://xorg.freedesktop.org/archive/X11R7.2/patches/xorg-libXfont-1.2.7-pcf-parser.diff|libXfont 1.2.7]] and [[http://xorg.freedesktop.org/archive/X11R7.2/patches/xorg-xserver-1.2-multiple-overflows.diff|xserver 1.2]] as well as for X11R7.3: [[http://xorg.freedesktop.org/archive/X11R7.3/patches/xorg-libXfont-1.3.1-pcf-parser.diff|libXfont 1.3.1]] and [[http://xorg.freedesktop.org/archive/X11R7.3/patches/xorg-xserver-1.4-multiple-overflows.diff|xserver 1.4]]. * '''Update''' Jan 21, 2008 - The patch for the MIT-SHM vulnerability (CVE-2007-6429) introduced a regression for applications that allocate pixmaps with a less than 8 bits depth. New patches are available for [[http://xorg.freedesktop.org/archive/X11R7.2/patches/xorg-xserver-1.2-multiple-overflows-v2.diff|xserver 1.2]] and [[http://xorg.freedesktop.org/archive/X11R7.3/patches/xorg-xserver-1.4-multiple-overflows-v2.diff|xserver 1.4]]. MD5: 8e3f74c2cabddd3d629018924140e413 [[http://xorg.freedesktop.org/archive/X11R7.2/patches/xorg-xserver-1.2-multiple-overflows-v2.diff|xorg-xserver-1.2-multiple-overflows-v2.diff]]<
> SHA1: 38ad95d97e83861c309276a27296787e6d0d1b54 [[http://xorg.freedesktop.org/archive/X11R7.2/patches/xorg-xserver-1.2-multiple-overflows-v2.diff|xorg-xserver-1.2-multiple-overflows-v2.diff]] MD5: ded4bc31104aedada0155514a968b45f [[http://xorg.freedesktop.org/archive/X11R7.3/patches/xorg-xserver-1.4-multiple-overflows-v2.diff|xorg-xserver-1.4-multiple-overflows-v2.diff]]<
> SHA1: af92fd389e72a3bb59d25dbf9cbb06e827b75d7d [[http://xorg.freedesktop.org/archive/X11R7.3/patches/xorg-xserver-1.4-multiple-overflows-v2.diff|xorg-xserver-1.4-multiple-overflows-v2.diff]] * Oct 2, 2007 - CVE-2007-4568: Multiple vulnerabilities in the X font server can lead to head corruption or overflow from a client. Please see [[http://lists.freedesktop.org/archives/xorg-announce/2007-October/000416.html|the advisory]] for more information. This is fixed in [[http://xorg.freedesktop.org/archive/individual/app/xfs-1.0.5.tar.bz2|xfs 1.0.5]]. A Patch is available for [[http://xorg.freedesktop.org/archive/X11R7.3/patches/xorg-xfs-1.0.4-query.diff|xfs 1.0.4]]. == X.Org 7.2 == * April 3, 2007 - CVE-2007-1003 CVE-2007-1351 CVE-2007-1352 CVE-2007-1352: Lack of validation of parameters passed to the X server and libX11 by client application can lead to various kinds of integer overflows or stack overflows that can be used to overwrite data in the X server memory. Please see [[http://lists.freedesktop.org/archives/xorg-announce/2007-April/000286.html|the advisory]] for more information. Patches are available for [[http://xorg.freedesktop.org/archive/X11R7.2/patches|7.2]]. == X.Org 7.1 == * January 9, 2007 - CVE-2006-6101 CVE-2006-6102 CVE-2006-6103: The !ProcDbeGetVisualInfo(), !ProcDbeSwapBuffer() and !ProcRenderAddGlyphs() functions in the X server, implementing requests for the dbe and render extensions, may be used to overwrite data on the stack or in other parts of the X server's memory. Please see [[http://lists.freedesktop.org/archives/xorg-announce/2007-January/000235.html|the advisory]] for more information. Patches are available for [[Releases/6.8.2|6.8.2]], [[Releases/6.9|6.9.0]], [[Releases/7.0|7.0]] and [[Releases/7.1|7.1]]. * September 12, 2006 - It may be possible for a user with the ability to set the X server font path, by making it point to a malicious font, to cause arbitrary code execution or denial of service on the X server. Please see [[http://lists.freedesktop.org/archives/xorg-announce/2006-September/000128.html|the advisory]] for more information. Patches are available for [[Releases/6.8.2|6.8.2]], [[Releases/6.9|6.9.0]], [[Releases/7.0|7.0]] and [[Releases/7.1|7.1]]. == X.Org 6.9.0/7.0 == * June 20, 2006 - A lack of checks for setuid() failures when invoked by a privileged process (e.g., X server, xdm, xterm, if installed setuid or setgid) may cause the process to execute certain privileged operations (file access) as root while it was intended to be executed with a less privileged effective user ID, on systems where setuid() called by root can fail. This can be used by a malicious local user to overwrite files and possibly elevate privileges in some corner cases. Please see [[http://lists.freedesktop.org/archives/xorg-announce/2006-June/000100.html|the advisory]] for more information. Patches are available for [[Releases/6.8.2|6.8.2]], [[Releases/6.9|6.9.0]], [[Releases/7.0|7.0]] and [[Releases/7.1|7.1]]. * May 2, 2006 - A security vulnerability has been found in the X.Org server as shipped with !X11R6.8.x, !X11R6.9.0 and !X11R7.0 (xorg-server 1.0.x) -- this is [[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1526|CVE-2006-1526]]. Clients authorized to connect to the X server are able to crash it and to execute malicious code within the X server. Please see [[http://lists.freedesktop.org/archives/xorg/2006-May/015136.html|the advisory]] for more information. Patches are available for [[Releases/6.8.2|6.8.2]], [[Releases/6.9|6.9.0]] and [[Releases/7.0|7.0]]. * March 20, 2006 - A security vulnerability has been found in the X.Org server as shipped with !X11R6.9.0 and !X11R7.0 (xorg-server 1.0.0 and 1.0.1) -- this is [[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0745|CVE-2006-0745]]. Local users were able to escalate privileges to root and cause a DoS if the Xorg server was installed setuid root (the default). Note that earlier releases are not vulnerable. Please see [[http://lists.freedesktop.org/archives/xorg/2006-March/013858.html|the advisory]] for more information. Patches are available for [[Releases/6.9|6.9.0]] and [[Releases/7.0|7.0]]. If you are running !X11R7.0, you can upgrade xorg-server to 1.0.2 or later ([[http://lists.freedesktop.org/archives/xorg/2006-March/013993.html|release announcement]]). == X.Org 6.8.2 == * September 12, 2005 - Due to missing range checks for the pixel size of the pixmap subsequent pixmap read/write functions can access memory outside of the allocated pixmap by any X client that can connect to the affected X server. This way any user having access to the server can access memory that is accessible from within the X server and/or crash the server. The CVE number for these vulnerabilities is [[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2495|CAN-2005-2495]]. A patch against [[Releases/6.8.2|6.8.2]] is available. == X.Org 6.8.1 == * November 17, 2004 - X.Org was made aware of additional security vulnerability in libXpm, the X Pixmap library, which is shipped as part of the X Window System. The affected library is used in many popular application for image viewing and manipulation. The Common Vulnerabilities and Exposures (CVE) project has assigned the name [[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0914|CAN-2004-0914]] to these issues. Patches are provided for [[Releases/6.8.0|6.8.0]] and [[Releases/6.8.1|6.8.1]]. The problem is fixed in 6.8.2 and later. == X.Org 6.8.0 == * September 15, 2004 - A security vulnerability has been found in libXpm, the X pixmap library which is shipped as part of the X Window System. Please check [[http://ftp.x.org/pub/X11R6.8.0/patches/README.xorg-CAN-2004-0687-0688.patch|here]] for further information. This problem has been fixed in [[Releases/6.8.1|6.8.1]]. We also provide a patch for [[Releases/6.8.0|6.8.0]] and earlier. == X11R6.6 and older == ''This is not a complete listing of older security issues, just those discovered more recently'' * July 24, 2012 - CVE-2012-1699: A vulnerability has been found in the X11''''''R6 font server code in the handling of the Set''''''Event''''''Mask request in xfs which can lead to either denial of service or a leak of information from the xfs process address space. Please see [[http://lists.freedesktop.org/archives/xorg-announce/2012-July/002040.html|the advisory]] for more information. Patch is included in the advisory. Fix is included in XFree86 3.3.3 and later, and X.Org X11R6.7 and later.