Red Hat Bugzilla – Bug 281921
CVE-2007-4568 xfs integer overflow in the build_range function
Last modified: 2016-03-04 06:06:20 EST
From Matthieu Herrb:
iDefense has brought to X.Org's security team 2 vulnerabilities in
X.Org's font server, xfs.
The 1st one is an integer overflow in the build_range() function,
exploitable by the QueryXBitmaps and QueryXExtents requests.
The 2nd one is a potential heap overflow in the swap_char2b() function,
exploitable by the same 2 requests, to arbitrarily swap bytes 2 by two on
X.Org 7.3 (released today) as well all previous versions are vulnerable.
Other implementations of the X font server based on the original X/MIT
implementation are likely to be vulnerable too.
The impact of these vulnerabilities is pretty low according to both
iDefense's analysis and mine: most modern systems ship xfs either
disabled by default or listening only to a local Unix domain socket, so
it's not remotely accessible, and moreover the nature of the overflow
make it difficult to actually exploit the vulnerability to get code
executed (but it's not strictly speaking impossible afaict), and last
xfs should not be running as root anywhere.
Disclosure date: October 2, 14H GMT
Created attachment 189581 [details]
Upstream patch against X.Org 7.2 for first issue.
Created attachment 189591 [details]
Upstream patch against X.Org 7.2 for second issue.
I believe these flaws should be given a low severity rating. The worst possible
outcome would be a local user gaining access to the xfs user, which really only
has access to the xfs daemon. Even if the xfs daemon dies, a running X session
will continue, so there is minimal loss of functionality.
Created attachment 197041 [details]
Updated patch provided by Matthieu Herrb (both fixed now in one patch)
Each of the vulnerabilities now got separate CVE id:
Integer overflow in the build_range function in X.Org X Font Server
(xfs) before 1.0.5 allows context-dependent attackers to execute
arbitrary code via (1) QueryXBitmaps and (2) QueryXExtents protocol
requests with crafted size values, which triggers a heap-based buffer
Second issue was assigned CVE id CVE-2007-4990, see separate bug #322961.
This issue was addressed in:
Red Hat Enterprise Linux:
Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.