X.Org Xorg-Server vulnerabilities

CVE-2011-4029 [LOW] CVE-2011-4029: The LockServer function in os/utils The LockServer function in os/utils.c in X.Org xserver before 1.11.2 allows local users to change the permissions of arbitrary files to 444, read those files, and possibly cause a denial of service (removed execution permission) via a symlink attack on a temporary lock file.

CVE-2012-2118 [CRITICAL] CVE-2012-2118: Format string vulnerability in the LogVHdrMessageVerb function in os/log Format string vulnerability in the LogVHdrMessageVerb function in os/log.c in X.Org X11 1.11 allows attackers to cause a denial of service or possibly execute arbitrary code via format string specifiers in an input device name.

CVE-2009-1573 [MEDIUM] CVE-2009-1573: xvfb-run 1 xvfb-run 1.6.1 in Debian GNU/Linux, Ubuntu, Fedora 10, and possibly other operating systems place the magic cookie (MCOOKIE) on the command line, which allows local users to gain privileges by listing the process and its arguments.

CVE-2008-1377 [CRITICAL] CVE-2008-1377: The (1) SProcRecordCreateContext and (2) SProcRecordRegisterClients functions in the Record extension and the (3) SProcSecurityGenerateAuthorization f The (1) SProcRecordCreateContext and (2) SProcRecordRegisterClients functions in the Record extension and the (3) SProcSecurityGenerateAuthorization function in the Security extension in the X server 1.4 in X.Org X11R7.3 allow context-dependent attackers to execute arbitrary code via requests with crafted le

CVE-2008-2360 [CRITICAL] CVE-2008-2360: Integer overflow in the AllocateGlyph function in the Render extension in the X server 1 Integer overflow in the AllocateGlyph function in the Render extension in the X server 1.4 in X.Org X11R7.3 allows context-dependent attackers to execute arbitrary code via unspecified request fields that are used to calculate a heap buffer size, which triggers a heap-based buffer overflow.

CVE-2008-2362 [CRITICAL] CVE-2008-2362: Multiple integer overflows in the Render extension in the X server 1 Multiple integer overflows in the Render extension in the X server 1.4 in X.Org X11R7.3 allow context-dependent attackers to execute arbitrary code via a (1) SProcRenderCreateLinearGradient, (2) SProcRenderCreateRadialGradient, or (3) SProcRenderCreateConicalGradient request with an invalid field specifying the number of bytes to swap in the request data, which triggers heap memory corrup

CVE-2008-2361 [MEDIUM] CVE-2008-2361: Integer overflow in the ProcRenderCreateCursor function in the Render extension in the X server 1 Integer overflow in the ProcRenderCreateCursor function in the Render extension in the X server 1.4 in X.Org X11R7.3 allows context-dependent attackers to cause a denial of service (daemon crash) via unspecified request fields that are used to calculate a glyph buffer size, which triggers a dereference of unmapped memory.

CVE-2008-1379 [MEDIUM] CVE-2008-1379: Integer overflow in the fbShmPutImage function in the MIT-SHM extension in the X server 1 Integer overflow in the fbShmPutImage function in the MIT-SHM extension in the X server 1.4 in X.Org X11R7.3 allows context-dependent attackers to read arbitrary process memory via crafted values for a Pixmap width and height.

CVE-2007-6429 [CRITICAL] CVE-2007-6429: Multiple integer overflows in X Multiple integer overflows in X.Org Xserver before 1.4.1 allow context-dependent attackers to execute arbitrary code via (1) a GetVisualInfo request containing a 32-bit value that is improperly used to calculate an amount of memory for allocation by the EVI extension, or (2) a request containing values related to pixmap size that are improperly used in management of shared memory by the MIT-SHM extension.

CVE-2007-5760 [CRITICAL] CVE-2007-5760: Array index error in the XFree86-Misc extension in X Array index error in the XFree86-Misc extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to execute arbitrary code via a PassMessage request containing a large array index.

CVE-2007-6427 [HIGH] CVE-2007-6427: The XInput extension in X The XInput extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to execute arbitrary code via requests related to byte swapping and heap corruption within multiple functions, a different vulnerability than CVE-2007-4990.

CVE-2008-0006 [HIGH] CVE-2008-0006: Buffer overflow in (1) X Buffer overflow in (1) X.Org Xserver before 1.4.1, and (2) the libfont and libXfont libraries on some platforms including Sun Solaris, allows context-dependent attackers to execute arbitrary code via a PCF font with a large difference between the last col and first col values in the PCF_BDF_ENCODINGS table.

CVE-2007-6428 [MEDIUM] CVE-2007-6428: The ProcGetReservedColormapEntries function in the TOG-CUP extension in X The ProcGetReservedColormapEntries function in the TOG-CUP extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to read the contents of arbitrary memory locations via a request containing a 32-bit value that is improperly used as an array index.

CVE-2007-5958 [MEDIUM] CVE-2007-5958: X X.Org Xserver before 1.4.1 allows local users to determine the existence of arbitrary files via a filename argument in the -sp option to the X program, which produces different error messages depending on whether the filename exists.

CVE-2007-3920 [MEDIUM] CVE-2007-3920: GNOME screensaver 2 GNOME screensaver 2.20 in Ubuntu 7.10, when used with Compiz, does not properly reserve input focus, which allows attackers with physical access to take control of the session after entering an Alt-Tab sequence, a related issue to CVE-2007-3069.

CVE-2007-4730 [MEDIUM] CWE-119 CVE-2007-4730: Buffer overflow in the compNewPixmap function in compalloc.c in the Composite extension for the X.or Buffer overflow in the compNewPixmap function in compalloc.c in the Composite extension for the X.org X11 server before 1.4 allows local users to execute arbitrary code by copying data from a large pixel depth pixmap into a smaller pixel depth pixmap.

CVE-2007-2437 [MEDIUM] CVE-2007-2437: The X render (Xrender) extension in X The X render (Xrender) extension in X.org X Window System 7.0, 7.1, and 7.2, with Xserver 1.3.0 and earlier, allows remote authenticated users to cause a denial of service (daemon crash) via crafted values to the (1) XRenderCompositeTrapezoids and (2) XRenderAddTraps functions, which trigger a divide-by-zero error.

CVE-2007-1003 [CRITICAL] CVE-2007-1003: Integer overflow in ALLOCATE_LOCAL in the ProcXCMiscGetXIDList function in the XC-MISC extension in the X Integer overflow in ALLOCATE_LOCAL in the ProcXCMiscGetXIDList function in the XC-MISC extension in the X.Org X11 server (xserver) 7.1-1.1.0, and other versions before 20070403, allows remote authenticated users to execute arbitrary code via a large expression, which results in memory corruption.

CVE-2006-6102 [CRITICAL] CVE-2006-6102: Integer overflow in the ProcDbeGetVisualInfo function in the DBE extension for X Integer overflow in the ProcDbeGetVisualInfo function in the DBE extension for X.Org 6.8.2, 6.9.0, 7.0, and 7.1, and XFree86 X server, allows local users to execute arbitrary code via a crafted X protocol request that triggers memory corruption during processing of unspecified data structures.

CVE-2006-6101 [MEDIUM] CVE-2006-6101: Integer overflow in the ProcRenderAddGlyphs function in the Render extension for X Integer overflow in the ProcRenderAddGlyphs function in the Render extension for X.Org 6.8.2, 6.9.0, 7.0, and 7.1, and XFree86 X server, allows local users to execute arbitrary code via a crafted X protocol request that triggers memory corruption during processing of glyph management data structures.