Bug 281921 (CVE-2007-4568)

Summary:

CVE-2007-4568 xfs integer overflow in the build_range function

Product:

[Other] Security Response

Reporter:

Tomas Hoger <thoger>

Component:

vulnerability

Assignee:

Red Hat Product Security <security-response-team>

Status:

CLOSED ERRATA

QA Contact:

Severity:

low

Docs Contact:

Priority:

low

Version:

unspecified

CC:

bressers, kreilly, mshao, tyan, xgl-maint

Target Milestone:

---

Keywords:

Reopened, Security

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2015-02-17 15:20:27 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

373251, 373261, 419451, 419461, 419481, 419501

Bug Blocks:

Attachments:

Description	Flags
Upstream patch against X.Org 7.2 for first issue.	none
Upstream patch against X.Org 7.2 for second issue.	none
Updated patch provided by Matthieu Herrb (both fixed now in one patch)	none

Description Tomas Hoger 2007-09-07 07:33:19 UTC

From Matthieu Herrb:

iDefense has brought to X.Org's security team 2 vulnerabilities in
X.Org's font server, xfs.

The 1st one is an integer overflow in the build_range() function,
exploitable by the QueryXBitmaps and QueryXExtents requests.

The 2nd one is a potential heap overflow in the swap_char2b() function,
exploitable by the same 2 requests, to arbitrarily swap bytes 2 by two on
the heap.

X.Org 7.3 (released today) as well all previous versions are vulnerable.
Other implementations of the X font server based on the original X/MIT
implementation are likely to be vulnerable too.

The impact of these vulnerabilities is pretty low according to both
iDefense's analysis and mine: most modern systems ship xfs either
disabled by default or listening only to a local Unix domain socket, so
it's not remotely accessible, and moreover the nature of the overflow
make it difficult to actually exploit the vulnerability to get code
executed (but it's not strictly speaking impossible afaict), and last
xfs should not be running as root anywhere.

Disclosure date: October 2, 14H GMT

Comment 1 Tomas Hoger 2007-09-07 07:40:49 UTC

Created attachment 189581 [details]
Upstream patch against X.Org 7.2 for first issue.

Comment 2 Tomas Hoger 2007-09-07 07:41:46 UTC

Created attachment 189591 [details]
Upstream patch against X.Org 7.2 for second issue.

Comment 3 Josh Bressers 2007-09-11 01:19:14 UTC

I believe these flaws should be given a low severity rating.  The worst possible
outcome would be a local user gaining access to the xfs user, which really only
has access to the xfs daemon.  Even if the xfs daemon dies, a running X session
will continue, so there is minimal loss of functionality.

Comment 6 Tomas Hoger 2007-09-17 06:54:44 UTC

Created attachment 197041 [details]
Updated patch provided by Matthieu Herrb (both fixed now in one patch)

Comment 7 Lubomir Kundrak 2007-10-03 15:04:19 UTC

Lifting embargo;
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=602

Comment 8 Tomas Hoger 2007-10-08 10:10:09 UTC

Each of the vulnerabilities now got separate CVE id:

CVE-2007-4568:

Integer overflow in the build_range function in X.Org X Font Server
(xfs) before 1.0.5 allows context-dependent attackers to execute
arbitrary code via (1) QueryXBitmaps and (2) QueryXExtents protocol
requests with crafted size values, which triggers a heap-based buffer
overflow.

Second issue was assigned CVE id CVE-2007-4990, see separate bug #322961.

Comment 29 Red Hat Product Security 2008-01-22 19:40:35 UTC

This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0030.html
  http://rhn.redhat.com/errata/RHSA-2008-0029.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-4263

Comment 33 Vincent Danen 2015-02-17 15:20:27 UTC

Statement:

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.