Multiple integer overflows in the Render extension in the X server 1.4 in X.Org X11R7.3 allow context-dependent attackers to execute arbitrary code via a (1) SProcRenderCreateLinearGradient, (2) SProcRenderCreateRadialGradient, or (3) SProcRenderCreateConicalGradient request with an invalid field specifying the number of bytes to swap in the request data, which triggers heap memory corruption.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| X11 | X | r7.3 (including) | r7.3 (including) |
| Xorg-server | Ubuntu | dapper | * |
| Xorg-server | Ubuntu | devel | * |
| Xorg-server | Ubuntu | feisty | * |
| Xorg-server | Ubuntu | gutsy | * |
| Xorg-server | Ubuntu | hardy | * |
| Xorg-server | Ubuntu | upstream | * |
| Red Hat Enterprise Linux 5 | RedHat | xorg-x11-server-0:1.1.1-48.41.el5_2.1 | * |