Bug 322961 (CVE-2007-4990) - CVE-2007-4990 xfs heap overflow in the swap_char2b function
Summary: CVE-2007-4990 xfs heap overflow in the swap_char2b function
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-4990
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
Depends On: 373321 373331 419451 419461 419481 419501 429336
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-10-08 10:05 UTC by Tomas Hoger
Modified: 2021-02-25 17:51 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-17 15:21:41 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0029 0 normal SHIPPED_LIVE Important: XFree86 security update 2008-01-19 02:59:54 UTC
Red Hat Product Errata RHSA-2008:0030 0 normal SHIPPED_LIVE Important: xorg-x11 security update 2008-01-19 02:20:50 UTC

Description Tomas Hoger 2007-10-08 10:05:38 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-4990 to the following vulnerability:

The swap_char2b function in X.Org X Font Server (xfs) before 1.0.5 allows
context-dependent attackers to execute arbitrary code via (1) QueryXBitmaps and
(2) QueryXExtents protocol requests with crafted size values that specify an
arbitrary number of bytes to be swapped on the heap, which triggers heap
corruption.

References:

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=602
http://lists.freedesktop.org/archives/xorg-announce/2007-October/000416.html

Comment 3 Tomas Hoger 2007-10-08 10:25:22 UTC
For justification of security impact, see:

  https://bugzilla.redhat.com/show_bug.cgi?id=281921#c3

Comment 18 Red Hat Product Security 2008-01-22 19:40:52 UTC
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0030.html
  http://rhn.redhat.com/errata/RHSA-2008-0029.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-4263

Comment 20 Mark J. Cox 2008-01-24 11:00:02 UTC
For Red Hat Enterprise Linux 5:

We believe that additional checks performed by glibc on data structures used
by heap memory management functions make this issue harder to exploit on RHEL5.
Moreover, successful exploitation will only allow attacker to get privileges
of unprivileged xfs user.  Moreover, xfs server is be default confined by the
SELinux policy, which further restricts privileges of the xfs user.


Comment 23 Vincent Danen 2015-02-17 15:21:41 UTC
Statement:

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.


Note You need to log in before you can comment on or make changes to this bug.