202472 – CVE-2006-3467 Xorg PCF handling Integer overflow

Bug 202472 - CVE-2006-3467 Xorg PCF handling Integer overflow

Summary: CVE-2006-3467 Xorg PCF handling Integer overflow

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 3
Classification:	Red Hat
Component:	XFree86
Sub Component:
Version:	3.0
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Søren Sandmann Pedersen
QA Contact:	David Lawrence
Docs Contact:
URL:
Whiteboard:	impact=important,source=vendorsec,rep...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-08-14 18:03 UTC by Josh Bressers
Modified:	2014-06-18 09:08 UTC (History)
CC List:	2 users (show)
Fixed In Version:	RHSA-2006-0635
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-08-21 22:07:12 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Upstream patch (4.02 KB, patch) 2006-08-14 18:08 UTC, Josh Bressers	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2006:0635	0	normal	SHIPPED_LIVE	Important: XFree86 security update	2006-08-21 04:00:00 UTC

Description Josh Bressers 2006-08-14 18:03:40 UTC

+++ This bug was initially created as a clone of Bug #202469 +++

An integer overflow was discovered in the way freetype processes malformed PCF
files.  It seems that Xorg also contains the same PCF processing code as
freetype, there it too is vulnerable this issue.

We initally described this issue for freetype in bug 190593.

The upstream bug is here:
https://bugs.freedesktop.org/show_bug.cgi?id=7535

Comment 1 Josh Bressers 2006-08-14 18:05:10 UTC

This issue likely also affects RHEL2.1

Comment 2 Josh Bressers 2006-08-14 18:08:19 UTC

Created attachment 134155 [details]
Upstream patch

Comment 3 Søren Sandmann Pedersen 2006-08-14 22:55:42 UTC

New packages:

RHEL2: XFree86-4.1.0-76.EL

RHEL3: XFree86-4.3.0-111.EL

Comment 4 Josh Bressers 2006-08-17 15:00:53 UTC

There is a demo font file in attachment 134276 [details]

Comment 8 Red Hat Bugzilla 2006-08-21 22:07:13 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0635.html

Note You need to log in before you can comment on or make changes to this bug.