// For flags

CVE-2008-1377

X.org Record and Security extensions memory corruption

Severity Score

9.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The (1) SProcRecordCreateContext and (2) SProcRecordRegisterClients functions in the Record extension and the (3) SProcSecurityGenerateAuthorization function in the Security extension in the X server 1.4 in X.Org X11R7.3 allow context-dependent attackers to execute arbitrary code via requests with crafted length values that specify an arbitrary number of bytes to be swapped on the heap, which triggers heap corruption.

Las funciones (1) SProcRecordCreateContext y (2) SProcRecordRegisterClients en la extensión Record y la función (3) SProcSecurityGenerateAuthorization en la extensión Security del servidor X 1.4 en X.Org X11R7.3 permite a atacantes dependientes de contexto ejecutar código de su elección a través de peticiones con longitud de valores manipuladas que especifica un número aleatorio de bytes a ser intercambiados en el montículo, lo cual dispara corrupción de montículo.

Lack of validation of the parameters of the SProcSecurityGenerateAuthorization SProcRecordCreateContext functions makes it possible for a specially crafted request to trigger the swapping of bytes outside the parameter of these requests, causing memory corruption. An integer overflow in the validation of the parameters of the ShmPutImage() request makes it possible to trigger the copy of arbitrary server memory to a pixmap that can subsequently be read by the client, to read arbitrary parts of the X server memory space. An integer overflow may occur in the computation of the size of the glyph to be allocated by the AllocateGlyph() function which will cause less memory to be allocated than expected, leading to later heap overflow. An integer overflow may occur in the computation of the size of the glyph to be allocated by the ProcRenderCreateCursor() function which will cause less memory to be allocated than expected, leading later to dereferencing un-mapped memory, causing a crash of the X server. Integer overflows can also occur in the code validating the parameters for the SProcRenderCreateLinearGradient, SProcRenderCreateRadialGradient and SProcRenderCreateConicalGradient functions, leading to memory corruption by swapping bytes outside of the intended request parameters.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2008-03-18 CVE Reserved
  • 2008-06-11 CVE Published
  • 2024-08-07 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-189: Numeric Errors
CAPEC
References (51)
URL Tag Source
ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-cve-2008-1377.diff X_refsource_confirm
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=721 Third Party Advisory
http://lists.freedesktop.org/archives/xorg/2008-June/036026.html Mailing List
http://secunia.com/advisories/30671 Third Party Advisory
http://secunia.com/advisories/30715 Third Party Advisory
http://secunia.com/advisories/30772 Third Party Advisory
http://secunia.com/advisories/30809 Third Party Advisory
http://secunia.com/advisories/30843 Third Party Advisory
http://secunia.com/advisories/31025 Third Party Advisory
http://secunia.com/advisories/31109 Third Party Advisory
http://secunia.com/advisories/32099 Third Party Advisory
http://secunia.com/advisories/32545 Third Party Advisory
http://secunia.com/advisories/33937 Third Party Advisory
http://securitytracker.com/id?1020247 Vdb Entry
http://support.apple.com/kb/HT3438 X_refsource_confirm
http://support.avaya.com/elmodocs2/security/ASA-2008-249.htm X_refsource_confirm
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0201 X_refsource_confirm
http://www.securityfocus.com/archive/1/493548/100/0/threaded Mailing List
http://www.securityfocus.com/archive/1/493550/100/0/threaded Mailing List
http://www.vupen.com/english/advisories/2008/1803 Vdb Entry
http://www.vupen.com/english/advisories/2008/1833 Vdb Entry
http://www.vupen.com/english/advisories/2008/1983/references Vdb Entry
http://www.vupen.com/english/advisories/2008/3000 Vdb Entry
https://issues.rpath.com/browse/RPL-2607 X_refsource_confirm
https://issues.rpath.com/browse/RPL-2619 X_refsource_confirm
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10109 Signature
URL Date SRC
URL Date SRC
http://lists.opensuse.org/opensuse-security-announce/2008-06/msg00002.html 2018-10-11
http://rhn.redhat.com/errata/RHSA-2008-0502.html 2018-10-11
http://www.debian.org/security/2008/dsa-1595 2018-10-11
http://www.ubuntu.com/usn/usn-616-1 2018-10-11
URL Date SRC
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01543321 2018-10-11
http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html 2018-10-11
http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00005.html 2018-10-11
http://rhn.redhat.com/errata/RHSA-2008-0504.html 2018-10-11
http://rhn.redhat.com/errata/RHSA-2008-0512.html 2018-10-11
http://secunia.com/advisories/30627 2018-10-11
http://secunia.com/advisories/30628 2018-10-11
http://secunia.com/advisories/30629 2018-10-11
http://secunia.com/advisories/30630 2018-10-11
http://secunia.com/advisories/30637 2018-10-11
http://secunia.com/advisories/30659 2018-10-11
http://secunia.com/advisories/30664 2018-10-11
http://secunia.com/advisories/30666 2018-10-11
http://security.gentoo.org/glsa/glsa-200806-07.xml 2018-10-11
http://sunsolve.sun.com/search/document.do?assetkey=1-26-238686-1 2018-10-11
http://www.gentoo.org/security/en/glsa/glsa-200807-07.xml 2018-10-11
http://www.mandriva.com/security/advisories?name=MDVSA-2008:115 2018-10-11
http://www.mandriva.com/security/advisories?name=MDVSA-2008:116 2018-10-11
http://www.redhat.com/support/errata/RHSA-2008-0503.html 2018-10-11
https://access.redhat.com/security/cve/CVE-2008-1377 2008-06-11
https://bugzilla.redhat.com/show_bug.cgi?id=445403 2008-06-11
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
X
Search vendor "X"
 X11
Search vendor "X" for product "X11"
 r7.3
Search vendor "X" for product "X11" and version "r7.3"
-
Affected