-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:080 http://www.mandriva.com/security/ _______________________________________________________________________ Package : tightvnc Date : April 4, 2007 Affected: 2007.0, Corporate 3.0, Corporate 4.0 _______________________________________________________________________ Problem Description: Local exploitation of a memory corruption vulnerability in the X.Org and XFree86 X server could allow an attacker to execute arbitrary code with privileges of the X server, typically root. The vulnerability exists in the ProcXCMiscGetXIDList() function in the XC-MISC extension. This request is used to determine what resource IDs are available for use. This function contains two vulnerabilities, both result in memory corruption of either the stack or heap. The ALLOCATE_LOCAL() macro used by this function allocates memory on the stack using alloca() on systems where alloca() is present, or using the heap otherwise. The handler function takes a user provided value, multiplies it, and then passes it to the above macro. This results in both an integer overflow vulnerability, and an alloca() stack pointer shifting vulnerability. Both can be exploited to execute arbitrary code. (CVE-2007-1003) iDefense reported two integer overflows in the way X.org handled various font files. A malicious local user could exploit these issues to potentially execute arbitrary code with the privileges of the X.org server. (CVE-2007-1351, CVE-2007-1352) TightVNC uses some of the same code base as Xorg, and has the same vulnerable code. Updated packages are patched to address these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1003 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1351 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1352 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: 68955a65584a1c964141aa1d0e44f7e0 2007.0/i586/tightvnc-1.2.9-13.2mdv2007.0.i586.rpm 9928944d22067747b5427a15ab59c853 2007.0/i586/tightvnc-doc-1.2.9-13.2mdv2007.0.i586.rpm 9a6643c4c00c3d758a204e1b46969914 2007.0/i586/tightvnc-server-1.2.9-13.2mdv2007.0.i586.rpm 0a4abe1c964ed13e3d445efc0c1dd244 2007.0/SRPMS/tightvnc-1.2.9-13.2mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 700ed069013c7cfef989263344e41dd0 2007.0/x86_64/tightvnc-1.2.9-13.2mdv2007.0.x86_64.rpm 8a8c9a1721c9521d2224da5b73ddaf76 2007.0/x86_64/tightvnc-doc-1.2.9-13.2mdv2007.0.x86_64.rpm 7a6402ace347731a1ae8722d80a75638 2007.0/x86_64/tightvnc-server-1.2.9-13.2mdv2007.0.x86_64.rpm 0a4abe1c964ed13e3d445efc0c1dd244 2007.0/SRPMS/tightvnc-1.2.9-13.2mdv2007.0.src.rpm Corporate 3.0: 65109fe6bab801e11e503b60b308643b corporate/3.0/i586/tightvnc-1.2.9-2.2.C30mdk.i586.rpm 3b08614f635cd9cf8b68d7c76d30b345 corporate/3.0/i586/tightvnc-doc-1.2.9-2.2.C30mdk.i586.rpm 0e61567902f05149ac4f08e64953febf corporate/3.0/i586/tightvnc-server-1.2.9-2.2.C30mdk.i586.rpm e019fb72dce33e1dbf2e6f7a3bdcb384 corporate/3.0/SRPMS/tightvnc-1.2.9-2.2.C30mdk.src.rpm Corporate 3.0/X86_64: ef2e7129cf59e0dbdbf783ebbefb7e43 corporate/3.0/x86_64/tightvnc-1.2.9-2.2.C30mdk.x86_64.rpm cdd378ae7999c118a7dfafd0c67cc674 corporate/3.0/x86_64/tightvnc-doc-1.2.9-2.2.C30mdk.x86_64.rpm e30948128bc10c8aacc06694d986b1fa corporate/3.0/x86_64/tightvnc-server-1.2.9-2.2.C30mdk.x86_64.rpm e019fb72dce33e1dbf2e6f7a3bdcb384 corporate/3.0/SRPMS/tightvnc-1.2.9-2.2.C30mdk.src.rpm Corporate 4.0: 173bc482a466816a6b0c5a8b5568b8ef corporate/4.0/i586/tightvnc-1.2.9-6.2.20060mlcs4.i586.rpm 5b274d7ac4cd7758411ddbafc885209e corporate/4.0/i586/tightvnc-doc-1.2.9-6.2.20060mlcs4.i586.rpm 41fe3f9509d09eaa69f915afb348fee0 corporate/4.0/i586/tightvnc-server-1.2.9-6.2.20060mlcs4.i586.rpm 2651d5941592eba01e6acf47382d9cae corporate/4.0/SRPMS/tightvnc-1.2.9-6.2.20060mlcs4.src.rpm Corporate 4.0/X86_64: e1aef1895d0bbbc24690e778ec848d74 corporate/4.0/x86_64/tightvnc-1.2.9-6.2.20060mlcs4.x86_64.rpm 54537c7aa36eff300a96daac296af9ed corporate/4.0/x86_64/tightvnc-doc-1.2.9-6.2.20060mlcs4.x86_64.rpm 342dc521a4cf33fdf775f0c13191a552 corporate/4.0/x86_64/tightvnc-server-1.2.9-6.2.20060mlcs4.x86_64.rpm 2651d5941592eba01e6acf47382d9cae corporate/4.0/SRPMS/tightvnc-1.2.9-6.2.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGFAq/mqjQ0CJFipgRAj8sAJ4vSrorVltrR5rKS/zYQiIc+yCcOQCg6w/U 0mmtsrU6dswWhOkGZYR+hJo= =VPgW -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/