X.Org LibX11 XKEYBOARD buffer overflow
| xorg-libx11-xkeyboard-bo (28820) |  High Risk |
Description:
The X.Org LibX11 library is vulnerable to a buffer overflow, caused by improper bounds checking by the XKEYBOARD extension. If the XKEYBOARD extension is enabled, a local attacker could set the '_XKB_CHARSET' environment variable to an overly long string to overflow a buffer and execute arbitrary code on the system with the privileges of the application linked to the vulnerable library.
*CVSS:
| Base Score: | 7 |
| Access Vector: | Local |
| Access Complexity: | Low |
| Authentication: | Not Required |
| Confidentiality Impact: | Complete |
| Integrity Impact: | Complete |
| Availability Impact: | Complete |
| Temporal Score: | 5.8 |
| Exploitability: | Functional |
| Remediation Level: | Official-Fix |
| Report Confidence: | Confirmed |
Consequences:
Gain Privileges
Remedy:
Upgrade to the latest version of X.Org X11 (6.5.1 or later), or apply the appropriate patch for your system, available from the X.Org Foundation Web site. See References.
For Sun Solaris:
Refer to Sun Alert ID: 102570 for patch, upgrade, or suggested workaround information. See References.
References:
- RISE-2006001: X11R6 XKEYBOARD extension Strcmp() buffer overflow vulnerability.
- Sun Alert ID: 102570: Buffer Overflow Vulnerability in libX11.
- X.Org Foundation Web site: X.Org Foundation.
- ASA-2006-195: Sun Alert Notifications from Sun Weekly Report dated September 09 2006
- BID-19905: X.Org X Window Server LibX11 XKEYBOARD Extension Local Buffer Overflow Vulnerability
- CVE-2006-4655: Buffer overflow in the Strcmp function in the XKEYBOARD extension in X Window System X11R6.4 and earlier, as used in SCO UnixWare 7.1.3 and Sun Solaris 8 through 10, allows local users to gain privileges via a long _XKB_CHARSET environment variable value.
- SA21815: Sun Solaris libX11 Buffer Overflow Vulnerability
- SA21845: X11 "_XKB_CHARSET" Buffer Overflow Vulnerability
- SA21856: Unixware libX11 Buffer Overflow Vulnerability
- SA21993: Avaya CMS Sun Solaris libX11 Buffer Overflow
- SECTRACK ID: 1016806: X11R6 XKEYBOARD Extension Buffer Overflow Lets Local Users Gain Elevated Privileges
- VUPEN/ADV-2006-3525: X.Org LibX11 Library XKEYBOARD Extension Local Buffer Overflow Vulnerability
- VUPEN/ADV-2006-3529: Sun Solaris Security Update Fixes X.Org libX11 Local Buffer Overflow Vulnerability
Platforms Affected:
- SCO SCO UnixWare 7.1.3
- Sun Solaris 10 x86
- Sun Solaris 10 SPARC
- Sun Solaris 8 x86
- Sun Solaris 8 SPARC
- Sun Solaris 9 x86
- Sun Solaris 9 SPARC
- X.Org X.Org Server X11R6.4
Reported:
Sep 07, 2006
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net
* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.