FreeBSD : xserver -- multiple issue with X client request handling (27b9b2f0-8081-11e4-b4ca-bcaec565249c)

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

Alan Coopersmith reports :

Ilja van Sprundel, a security researcher with IOActive, has discovered
a large number of issues in the way the X server code base handles
requests from X clients, and has worked with X.Org's security team to
analyze, confirm, and fix these issues.

The vulnerabilities could be exploited to cause the X server to access
uninitialized memory or overwrite arbitrary memory in the X server
process. This can cause a denial of service (e.g., an X server
segmentation fault), or could be exploited to achieve arbitrary code
execution.

The GLX extension to the X Window System allows an X client to send X
protocol to the X server, to request that the X server perform OpenGL
rendering on behalf of the X client. This is known as 'GLX indirect
rendering', as opposed to 'GLX direct rendering' where the X client
submits OpenGL rendering commands directly to the GPU, bypassing the X
server and avoiding the X server code for GLX protocol handling.

Most GLX indirect rendering implementations share some common
ancestry, dating back to 'Sample Implementation' code from Silicon
Graphics, Inc (SGI), which SGI originally commercially licensed to
other Unix workstation and graphics vendors, and later released as
open source, so those vulnerabilities may affect other licensees of
SGI's code base beyond those running code from the X.Org Foundation or
the XFree86 Project.

See also :

http://lists.x.org/archives/xorg-announce/2014-December/002500.html
http://www.nessus.org/u?ae991657

Solution :

Update the affected package.

Risk factor :

Medium / CVSS Base Score : 6.5
(CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P)

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now