Bug 322961 (CVE-2007-4990)

Summary: CVE-2007-4990 xfs heap overflow in the swap_char2b function
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ddumas, jrusnack, kreilly, tools-bugs, xgl-maint
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4990
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-17 15:21:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 373321, 373331, 419451, 419461, 419481, 419501, 429336    
Bug Blocks:    

Description Tomas Hoger 2007-10-08 10:05:38 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-4990 to the following vulnerability:

The swap_char2b function in X.Org X Font Server (xfs) before 1.0.5 allows
context-dependent attackers to execute arbitrary code via (1) QueryXBitmaps and
(2) QueryXExtents protocol requests with crafted size values that specify an
arbitrary number of bytes to be swapped on the heap, which triggers heap
corruption.

References:

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=602
http://lists.freedesktop.org/archives/xorg-announce/2007-October/000416.html
Comment 1 Tomas Hoger 2007-10-08 10:07:12 UTC 
Upstream patch:

http://xorg.freedesktop.org/archive/X11R7.3/patches/xorg-xfs-1.0.4-query.diff
Comment 3 Tomas Hoger 2007-10-08 10:25:22 UTC 
For justification of security impact, see:

  https://bugzilla.redhat.com/show_bug.cgi?id=281921#c3
Comment 18 Red Hat Product Security 2008-01-22 19:40:52 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0030.html
  http://rhn.redhat.com/errata/RHSA-2008-0029.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-4263
Comment 20 Mark J. Cox 2008-01-24 11:00:02 UTC 
For Red Hat Enterprise Linux 5:

We believe that additional checks performed by glibc on data structures used
by heap memory management functions make this issue harder to exploit on RHEL5.
Moreover, successful exploitation will only allow attacker to get privileges
of unprivileged xfs user.  Moreover, xfs server is be default confined by the
SELinux policy, which further restricts privileges of the xfs user.
Comment 23 Vincent Danen 2015-02-17 15:21:41 UTC 
Statement:

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.