Bug 281921 (CVE-2007-4568)
Summary: | CVE-2007-4568 xfs integer overflow in the build_range function | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | bressers, kreilly, mshao, tyan, xgl-maint |
Target Milestone: | --- | Keywords: | Reopened, Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-02-17 15:20:27 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 373251, 373261, 419451, 419461, 419481, 419501 | ||
Bug Blocks: | |||
Attachments: |
Description
Tomas Hoger
2007-09-07 07:33:19 UTC
Created attachment 189581 [details]
Upstream patch against X.Org 7.2 for first issue.
Created attachment 189591 [details]
Upstream patch against X.Org 7.2 for second issue.
I believe these flaws should be given a low severity rating. The worst possible outcome would be a local user gaining access to the xfs user, which really only has access to the xfs daemon. Even if the xfs daemon dies, a running X session will continue, so there is minimal loss of functionality. Created attachment 197041 [details]
Updated patch provided by Matthieu Herrb (both fixed now in one patch)
Each of the vulnerabilities now got separate CVE id: CVE-2007-4568: Integer overflow in the build_range function in X.Org X Font Server (xfs) before 1.0.5 allows context-dependent attackers to execute arbitrary code via (1) QueryXBitmaps and (2) QueryXExtents protocol requests with crafted size values, which triggers a heap-based buffer overflow. Second issue was assigned CVE id CVE-2007-4990, see separate bug #322961. This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0030.html http://rhn.redhat.com/errata/RHSA-2008-0029.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2007-4263 Statement: Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. |