Common Vulnerabilities and Exposures assigned an identifier CVE-2007-4990 to the following vulnerability: The swap_char2b function in X.Org X Font Server (xfs) before 1.0.5 allows context-dependent attackers to execute arbitrary code via (1) QueryXBitmaps and (2) QueryXExtents protocol requests with crafted size values that specify an arbitrary number of bytes to be swapped on the heap, which triggers heap corruption. References: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=602 http://lists.freedesktop.org/archives/xorg-announce/2007-October/000416.html
Upstream patch: http://xorg.freedesktop.org/archive/X11R7.3/patches/xorg-xfs-1.0.4-query.diff
For justification of security impact, see: https://bugzilla.redhat.com/show_bug.cgi?id=281921#c3
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0030.html http://rhn.redhat.com/errata/RHSA-2008-0029.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2007-4263
For Red Hat Enterprise Linux 5: We believe that additional checks performed by glibc on data structures used by heap memory management functions make this issue harder to exploit on RHEL5. Moreover, successful exploitation will only allow attacker to get privileges of unprivileged xfs user. Moreover, xfs server is be default confined by the SELinux policy, which further restricts privileges of the xfs user.
Statement: Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.