Bug 281921 - (CVE-2007-4568) CVE-2007-4568 xfs integer overflow in the build_range function
CVE-2007-4568 xfs integer overflow in the build_range function
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Reopened, Security
Depends On: 373251 373261 419451 419461 419481 419501
  Show dependency treegraph
Reported: 2007-09-07 03:33 EDT by Tomas Hoger
Modified: 2016-03-04 06:06 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-02-17 10:20:27 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Upstream patch against X.Org 7.2 for first issue. (1.06 KB, patch)
2007-09-07 03:40 EDT, Tomas Hoger
no flags Details | Diff
Upstream patch against X.Org 7.2 for second issue. (1.14 KB, patch)
2007-09-07 03:41 EDT, Tomas Hoger
no flags Details | Diff
Updated patch provided by Matthieu Herrb (both fixed now in one patch) (2.44 KB, patch)
2007-09-17 02:54 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2007-09-07 03:33:19 EDT
From Matthieu Herrb:

iDefense has brought to X.Org's security team 2 vulnerabilities in
X.Org's font server, xfs.

The 1st one is an integer overflow in the build_range() function,
exploitable by the QueryXBitmaps and QueryXExtents requests.

The 2nd one is a potential heap overflow in the swap_char2b() function,
exploitable by the same 2 requests, to arbitrarily swap bytes 2 by two on
the heap.

X.Org 7.3 (released today) as well all previous versions are vulnerable.
Other implementations of the X font server based on the original X/MIT
implementation are likely to be vulnerable too.

The impact of these vulnerabilities is pretty low according to both
iDefense's analysis and mine: most modern systems ship xfs either
disabled by default or listening only to a local Unix domain socket, so
it's not remotely accessible, and moreover the nature of the overflow
make it difficult to actually exploit the vulnerability to get code
executed (but it's not strictly speaking impossible afaict), and last
xfs should not be running as root anywhere.

Disclosure date: October 2, 14H GMT
Comment 1 Tomas Hoger 2007-09-07 03:40:49 EDT
Created attachment 189581 [details]
Upstream patch against X.Org 7.2 for first issue.
Comment 2 Tomas Hoger 2007-09-07 03:41:46 EDT
Created attachment 189591 [details]
Upstream patch against X.Org 7.2 for second issue.
Comment 3 Josh Bressers 2007-09-10 21:19:14 EDT
I believe these flaws should be given a low severity rating.  The worst possible
outcome would be a local user gaining access to the xfs user, which really only
has access to the xfs daemon.  Even if the xfs daemon dies, a running X session
will continue, so there is minimal loss of functionality.
Comment 6 Tomas Hoger 2007-09-17 02:54:44 EDT
Created attachment 197041 [details]
Updated patch provided by Matthieu Herrb (both fixed now in one patch)
Comment 7 Lubomir Kundrak 2007-10-03 11:04:19 EDT
Lifting embargo;
Comment 8 Tomas Hoger 2007-10-08 06:10:09 EDT
Each of the vulnerabilities now got separate CVE id:


Integer overflow in the build_range function in X.Org X Font Server
(xfs) before 1.0.5 allows context-dependent attackers to execute
arbitrary code via (1) QueryXBitmaps and (2) QueryXExtents protocol
requests with crafted size values, which triggers a heap-based buffer

Second issue was assigned CVE id CVE-2007-4990, see separate bug #322961.
Comment 29 Red Hat Product Security 2008-01-22 14:40:35 EST
This issue was addressed in:

Red Hat Enterprise Linux:

Comment 33 Vincent Danen 2015-02-17 10:20:27 EST

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Note You need to log in before you can comment on or make changes to this bug.