Bug 322961 - (CVE-2007-4990) CVE-2007-4990 xfs heap overflow in the swap_char2b function
CVE-2007-4990 xfs heap overflow in the swap_char2b function
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
public=20071002,reported=20070906,sou...
: Reopened, Security
Depends On: 373321 373331 419451 419461 419481 419501 429336
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-08 06:05 EDT by Tomas Hoger
Modified: 2015-02-19 04:15 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-02-17 10:21:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2007-10-08 06:05:38 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-4990 to the following vulnerability:

The swap_char2b function in X.Org X Font Server (xfs) before 1.0.5 allows
context-dependent attackers to execute arbitrary code via (1) QueryXBitmaps and
(2) QueryXExtents protocol requests with crafted size values that specify an
arbitrary number of bytes to be swapped on the heap, which triggers heap
corruption.

References:

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=602
http://lists.freedesktop.org/archives/xorg-announce/2007-October/000416.html
Comment 3 Tomas Hoger 2007-10-08 06:25:22 EDT
For justification of security impact, see:

  https://bugzilla.redhat.com/show_bug.cgi?id=281921#c3
Comment 18 Red Hat Product Security 2008-01-22 14:40:52 EST
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0030.html
  http://rhn.redhat.com/errata/RHSA-2008-0029.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-4263
Comment 20 Mark J. Cox (Product Security) 2008-01-24 06:00:02 EST
For Red Hat Enterprise Linux 5:

We believe that additional checks performed by glibc on data structures used
by heap memory management functions make this issue harder to exploit on RHEL5.
Moreover, successful exploitation will only allow attacker to get privileges
of unprivileged xfs user.  Moreover, xfs server is be default confined by the
SELinux policy, which further restricts privileges of the xfs user.
Comment 23 Vincent Danen 2015-02-17 10:21:41 EST
Statement:

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Note You need to log in before you can comment on or make changes to this bug.