Bug 281921 (CVE-2007-4568) - CVE-2007-4568 xfs integer overflow in the build_range function
Summary: CVE-2007-4568 xfs integer overflow in the build_range function
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-4568
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 373251 373261 419451 419461 419481 419501
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-09-07 07:33 UTC by Tomas Hoger
Modified: 2019-09-29 12:21 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-17 15:20:27 UTC


Attachments (Terms of Use)
Upstream patch against X.Org 7.2 for first issue. (1.06 KB, patch)
2007-09-07 07:40 UTC, Tomas Hoger
no flags Details | Diff
Upstream patch against X.Org 7.2 for second issue. (1.14 KB, patch)
2007-09-07 07:41 UTC, Tomas Hoger
no flags Details | Diff
Updated patch provided by Matthieu Herrb (both fixed now in one patch) (2.44 KB, patch)
2007-09-17 06:54 UTC, Tomas Hoger
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0029 normal SHIPPED_LIVE Important: XFree86 security update 2008-01-19 02:59:54 UTC
Red Hat Product Errata RHSA-2008:0030 normal SHIPPED_LIVE Important: xorg-x11 security update 2008-01-19 02:20:50 UTC

Description Tomas Hoger 2007-09-07 07:33:19 UTC
From Matthieu Herrb:

iDefense has brought to X.Org's security team 2 vulnerabilities in
X.Org's font server, xfs.

The 1st one is an integer overflow in the build_range() function,
exploitable by the QueryXBitmaps and QueryXExtents requests.

The 2nd one is a potential heap overflow in the swap_char2b() function,
exploitable by the same 2 requests, to arbitrarily swap bytes 2 by two on
the heap.

X.Org 7.3 (released today) as well all previous versions are vulnerable.
Other implementations of the X font server based on the original X/MIT
implementation are likely to be vulnerable too.

The impact of these vulnerabilities is pretty low according to both
iDefense's analysis and mine: most modern systems ship xfs either
disabled by default or listening only to a local Unix domain socket, so
it's not remotely accessible, and moreover the nature of the overflow
make it difficult to actually exploit the vulnerability to get code
executed (but it's not strictly speaking impossible afaict), and last
xfs should not be running as root anywhere.

Disclosure date: October 2, 14H GMT

Comment 1 Tomas Hoger 2007-09-07 07:40:49 UTC
Created attachment 189581 [details]
Upstream patch against X.Org 7.2 for first issue.

Comment 2 Tomas Hoger 2007-09-07 07:41:46 UTC
Created attachment 189591 [details]
Upstream patch against X.Org 7.2 for second issue.

Comment 3 Josh Bressers 2007-09-11 01:19:14 UTC
I believe these flaws should be given a low severity rating.  The worst possible
outcome would be a local user gaining access to the xfs user, which really only
has access to the xfs daemon.  Even if the xfs daemon dies, a running X session
will continue, so there is minimal loss of functionality.

Comment 6 Tomas Hoger 2007-09-17 06:54:44 UTC
Created attachment 197041 [details]
Updated patch provided by Matthieu Herrb (both fixed now in one patch)

Comment 7 Lubomir Kundrak 2007-10-03 15:04:19 UTC
Lifting embargo;
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=602

Comment 8 Tomas Hoger 2007-10-08 10:10:09 UTC
Each of the vulnerabilities now got separate CVE id:

CVE-2007-4568:

Integer overflow in the build_range function in X.Org X Font Server
(xfs) before 1.0.5 allows context-dependent attackers to execute
arbitrary code via (1) QueryXBitmaps and (2) QueryXExtents protocol
requests with crafted size values, which triggers a heap-based buffer
overflow.

Second issue was assigned CVE id CVE-2007-4990, see separate bug #322961.

Comment 29 Red Hat Product Security 2008-01-22 19:40:35 UTC
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0030.html
  http://rhn.redhat.com/errata/RHSA-2008-0029.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-4263

Comment 33 Vincent Danen 2015-02-17 15:20:27 UTC
Statement:

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.


Note You need to log in before you can comment on or make changes to this bug.