Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 168264 - CAN-2005-0605, CAN-2005-2495 XFree86/Xorg - libXpm & other multiple integer overflows
Summary: CAN-2005-0605, CAN-2005-2495 XFree86/Xorg - libXpm & other multiple integer o...
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: XFree86
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
Whiteboard: LEGACY, rh73, rh90, 1, 2
: 153990 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2005-09-14 06:30 UTC by David Eisenstein
Modified: 2007-04-18 17:31 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2006-03-07 23:31:16 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated (Old) 594 None None None Never

Description David Eisenstein 2005-09-14 06:30:31 UTC
+++ This bug was initially created as a clone of Bug #166857 +++

Quoting Josh Bressers from Bug #166856: "What is going on here is that an X
client is trying to allocate a pixmap of size 9GB. Because of an integer
overflow this is not caught and instead a pixmap of size 1GB is allocated.
When the client then tries to access the pixmap we get a server crash.

"This seems exploitable to me: a client could allocate a pixmap of size
4GB + 4byte, causing the server to allocate just 4 bytes. Then the client
could use XDrawPoint() and XGetImage() to read and write any location in
the X server address space. It could first use XGetImage to search
for the stack, then use XDrawPoint to rewrite it to return into another
pixmap the client allocated, thus getting the X server to execute arbitrary

"This issue was discovered by Luke Hutchison, with the security implications
and patch found by Soeren Sandmann."

-- Additional comment from mjc@... on 2005-09-13 05:51 EST --
Public, removing embargo

   CVE:  CAN-2005-2495
         Bug #166856, Bug #166857, Bug #166859


Comment 1 David Eisenstein 2005-09-14 06:46:01 UTC
I am certain this affects Fedora Core 2 (which uses, and believe this
vulnerability also affects FC1, Red Hat Linux 9, and Red Hat Linux 7.3.  There
are some test available in's Bug report that may allow users
of FC1, RH9, and RH7.3 to check their versions and see if/how they are affected.

Comment 2 Mike A. Harris 2005-09-28 02:24:38 UTC
Is Fedora Legacy project going to actually include this fix, or can
we just close the bug report "WONTFIX" with explanation to upgrade
to FC4?

Comment 3 David Eisenstein 2005-09-28 06:59:24 UTC
I am responding to comment 2's writer outside of Bugzilla, for now.

Comment 4 David Eisenstein 2005-09-29 14:21:09 UTC
Latest X sources likely affected by this security issue:

Distro     Size      Date         Source Package
------  ---------- ------------ -------------------------------------
RH7.3:    57964519 Feb 01  2005 XFree86-4.2.1-16.73.30.legacy.src.rpm
RH9:      66897306 Feb 02  2005 XFree86-4.3.0-2.90.60.legacy.src.rpm
FC1:      66897069 Feb 02  2005 XFree86-4.3.0-59.legacy.src.rpm
FC2:      54599063 Mar 29 16:50 xorg-x11-6.7.0-14.src.rpm

Red Hat has issued errata announcements that fix this issue:
   * RHSA-2005:501-01 for XFree86 (for RHEL3) XFree86-4.3.0-95.EL.src.rpm

   * RHSA-2005:396-01 for (for RHEL4) xorg-x11-6.8.2-1.EL.13.16.src.rpm

   * FEDORA-2005-893 for, updated by FEDORA-2005-914 (for FC3)

   * FEDORA-2005-894 for, updated by FEDORA-2005-904 (for FC4)

Comment 5 David Eisenstein 2005-09-29 14:50:36 UTC
I am just now noticing Bug 153990 is open for the XFree86 issue CAN-2005-0605. 
Have suggested there that we close that bug as DUPLICATE of this bug so we can
proceed to work on XFree86/xorg bugs here.

Note that XFree86-4.3.0-81.EL.src.rpm (for RHEL3) was issued for CAN-2005-0605,
so XFree86-4.3.0-95.EL.src.rpm should contain fixes for both that CVE and for
CAN-2005-2495.  We may have to backport those fixes for RedHat Linux 7.3

Updating this bug's title to indicate the multiple CVE's to be worked on here. 
Soon, I hope!  :-)

Comment 6 David Eisenstein 2005-09-29 15:38:21 UTC
Ah, RHSA-2005:501-01 XFree86-4.3.0-95.EL.src.rpm has been superseded by
    RHBA-2005:787-5  XFree86-4.3.0-97.EL.src.rpm.

Comment 7 Marc Deslauriers 2006-02-13 23:25:03 UTC
Hash: SHA1

Here are updated XFree86/xorg packages to QA:

* Sun Feb 12 2006 Marc Deslauriers <>
- - Add XFree86-4.1.0-xpm-security-fix-CAN-2005-0605.patch.
- - Add XFree86-4.3.0-security-CAN-2005-2495.patch to fix various integer

5d7e4958f28347292d249328e82f00260cda0c9f  7.3/XFree86-4.2.1-16.73.31.legacy.src.rpm
b7be065ec6e6f9006387b89b30b18c0b3a07972f  9/XFree86-4.3.0-2.90.61.legacy.src.rpm
2b8485c5a109e5d01759e2aadbe1f23ea751e89a  1/XFree86-4.3.0-60.legacy.src.rpm
0bc44a52286f25201379e386cda80dbabf664199  2/xorg-x11-6.7.0-14.1.legacy.src.rpm
Version: GnuPG v1.4.1 (GNU/Linux)


Comment 8 Pekka Savola 2006-02-14 07:37:35 UTC
Hash: SHA1

QA w/
 - source integrity OK
 - spec file changes minimal
 - patches verified to come from RHEL


5d7e4958f28347292d249328e82f00260cda0c9f  XFree86-4.2.1-16.73.31.legacy.src.rpm
b7be065ec6e6f9006387b89b30b18c0b3a07972f  XFree86-4.3.0-2.90.61.legacy.src.rpm
2b8485c5a109e5d01759e2aadbe1f23ea751e89a  XFree86-4.3.0-60.legacy.src.rpm
0bc44a52286f25201379e386cda80dbabf664199  xorg-x11-6.7.0-14.1.legacy.src.rpm
Version: GnuPG v1.0.7 (GNU/Linux)


Comment 9 David Eisenstein 2006-02-16 05:17:11 UTC
*** Bug 153990 has been marked as a duplicate of this bug. ***

Comment 10 Marc Deslauriers 2006-02-17 21:23:07 UTC
Packages were pushed to updates-testing.

Comment 11 Pekka Savola 2006-03-04 05:53:46 UTC
Timeout over.

Comment 12 Marc Deslauriers 2006-03-07 23:31:16 UTC
Packages were released to updates.

Note You need to log in before you can comment on or make changes to this bug.