CVE-2007-4990

The swap_char2b function in X.Org X Font Server (xfs) before 1.0.5 allows context-dependent attackers to execute arbitrary code via (1) QueryXBitmaps and (2) QueryXExtents protocol requests with crafted size values that specify an arbitrary number of bytes to be swapped on the heap, which triggers heap corruption.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=602
http://lists.freedesktop.org/archives/xorg-announce/2007-October/000416.html
https://issues.rpath.com/browse/RPL-1756
http://bugs.freedesktop.org/show_bug.cgi?id=12299
http://bugs.gentoo.org/show_bug.cgi?id=194606
http://security.gentoo.org/glsa/glsa-200710-11.xml
http://www.mandriva.com/security/advisories?name=MDKSA-2007:210
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103114-1
http://www.novell.com/linux/security/advisories/2007_54_xorg.html
http://www.securityfocus.com/bid/25898
http://www.securitytracker.com/id?1018763
http://secunia.com/advisories/27040
http://secunia.com/advisories/27052
http://secunia.com/advisories/27060
http://secunia.com/advisories/27176
http://secunia.com/advisories/27240
http://secunia.com/advisories/27560
http://secunia.com/advisories/27228
https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00352.html
http://secunia.com/advisories/28004
http://secunia.com/advisories/28514
http://www.redhat.com/support/errata/RHSA-2008-0029.html
http://www.redhat.com/support/errata/RHSA-2008-0030.html
http://secunia.com/advisories/28536
http://secunia.com/advisories/28542
http://sunsolve.sun.com/search/document.do?assetkey=1-66-200642-1
http://docs.info.apple.com/article.html?artnum=307562
http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html
http://secunia.com/advisories/29420
http://www.vupen.com/english/advisories/2007/3338
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01323725
http://www.vupen.com/english/advisories/2008/0149
http://www.vupen.com/english/advisories/2007/3337
http://www.vupen.com/english/advisories/2008/0924/references
http://www.vupen.com/english/advisories/2007/3467
https://exchange.xforce.ibmcloud.com/vulnerabilities/36920
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11599
http://www.securityfocus.com/archive/1/481432/100/0/threaded

Configurations

Configuration 1 (hide)

cpe:2.3:a:x.org:x_font_server:*:*:*:*:*:*:*:*

Information

Published : 2007-10-05 14:17

Updated : 2018-10-15 14:39

NVD link : CVE-2007-4990

Mitre link : CVE-2007-4990

JSON object : View

CWE

CWE-189

Numeric Errors

Products Affected

x.org

x_font_server

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=602", "name": "20071002 Multiple Vendor X Font Server Multiple Vulnerabilities", "tags": [], "refsource": "IDEFENSE"}, {"url": "http://lists.freedesktop.org/archives/xorg-announce/2007-October/000416.html", "name": "[xorg-announce] 20071002 [ANNOUNCE] X.Org security advisory: multiple vulnerabilities in X font server", "tags": [], "refsource": "MLIST"}, {"url": "https://issues.rpath.com/browse/RPL-1756", "name": "https://issues.rpath.com/browse/RPL-1756", "tags": [], "refsource": "CONFIRM"}, {"url": "http://bugs.freedesktop.org/show_bug.cgi?id=12299", "name": "http://bugs.freedesktop.org/show_bug.cgi?id=12299", "tags": [], "refsource": "CONFIRM"}, {"url": "http://bugs.gentoo.org/show_bug.cgi?id=194606", "name": "http://bugs.gentoo.org/show_bug.cgi?id=194606", "tags": [], "refsource": "CONFIRM"}, {"url": "http://security.gentoo.org/glsa/glsa-200710-11.xml", "name": "GLSA-200710-11", "tags": [], "refsource": "GENTOO"}, {"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2007:210", "name": "MDKSA-2007:210", "tags": [], "refsource": "MANDRIVA"}, {"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-103114-1", "name": "103114", "tags": [], "refsource": "SUNALERT"}, {"url": "http://www.novell.com/linux/security/advisories/2007_54_xorg.html", "name": "SUSE-SA:2007:054", "tags": [], "refsource": "SUSE"}, {"url": "http://www.securityfocus.com/bid/25898", "name": "25898", "tags": [], "refsource": "BID"}, {"url": "http://www.securitytracker.com/id?1018763", "name": "1018763", "tags": [], "refsource": "SECTRACK"}, {"url": "http://secunia.com/advisories/27040", "name": "27040", "tags": [], "refsource": "SECUNIA"}, {"url": "http://secunia.com/advisories/27052", "name": "27052", "tags": [], "refsource": "SECUNIA"}, {"url": "http://secunia.com/advisories/27060", "name": "27060", "tags": [], "refsource": "SECUNIA"}, {"url": "http://secunia.com/advisories/27176", "name": "27176", "tags": [], "refsource": "SECUNIA"}, {"url": "http://secunia.com/advisories/27240", "name": "27240", "tags": [], "refsource": "SECUNIA"}, {"url": "http://secunia.com/advisories/27560", "name": "27560", "tags": [], "refsource": "SECUNIA"}, {"url": "http://secunia.com/advisories/27228", "name": "27228", "tags": [], "refsource": "SECUNIA"}, {"url": "https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00352.html", "name": "FEDORA-2007-4263", "tags": [], "refsource": "FEDORA"}, {"url": "http://secunia.com/advisories/28004", "name": "28004", "tags": [], "refsource": "SECUNIA"}, {"url": "http://secunia.com/advisories/28514", "name": "28514", "tags": [], "refsource": "SECUNIA"}, {"url": "http://www.redhat.com/support/errata/RHSA-2008-0029.html", "name": "RHSA-2008:0029", "tags": [], "refsource": "REDHAT"}, {"url": "http://www.redhat.com/support/errata/RHSA-2008-0030.html", "name": "RHSA-2008:0030", "tags": [], "refsource": "REDHAT"}, {"url": "http://secunia.com/advisories/28536", "name": "28536", "tags": [], "refsource": "SECUNIA"}, {"url": "http://secunia.com/advisories/28542", "name": "28542", "tags": [], "refsource": "SECUNIA"}, {"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-66-200642-1", "name": "200642", "tags": [], "refsource": "SUNALERT"}, {"url": "http://docs.info.apple.com/article.html?artnum=307562", "name": "http://docs.info.apple.com/article.html?artnum=307562", "tags": [], "refsource": "CONFIRM"}, {"url": "http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html", "name": "APPLE-SA-2008-03-18", "tags": [], "refsource": "APPLE"}, {"url": "http://secunia.com/advisories/29420", "name": "29420", "tags": [], "refsource": "SECUNIA"}, {"url": "http://www.vupen.com/english/advisories/2007/3338", "name": "ADV-2007-3338", "tags": [], "refsource": "VUPEN"}, {"url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01323725", "name": "HPSBUX02303", "tags": [], "refsource": "HP"}, {"url": "http://www.vupen.com/english/advisories/2008/0149", "name": "ADV-2008-0149", "tags": [], "refsource": "VUPEN"}, {"url": "http://www.vupen.com/english/advisories/2007/3337", "name": "ADV-2007-3337", "tags": [], "refsource": "VUPEN"}, {"url": "http://www.vupen.com/english/advisories/2008/0924/references", "name": "ADV-2008-0924", "tags": [], "refsource": "VUPEN"}, {"url": "http://www.vupen.com/english/advisories/2007/3467", "name": "ADV-2007-3467", "tags": [], "refsource": "VUPEN"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36920", "name": "xfs-queryxbitmaps-queryxextents-bo(36920)", "tags": [], "refsource": "XF"}, {"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11599", "name": "oval:org.mitre.oval:def:11599", "tags": [], "refsource": "OVAL"}, {"url": "http://www.securityfocus.com/archive/1/481432/100/0/threaded", "name": "20071003 rPSA-2007-0205-1 xorg-x11 xorg-x11-fonts xorg-x11-tools xorg-x11-xfs", "tags": [], "refsource": "BUGTRAQ"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The swap_char2b function in X.Org X Font Server (xfs) before 1.0.5 allows context-dependent attackers to execute arbitrary code via (1) QueryXBitmaps and (2) QueryXExtents protocol requests with crafted size values that specify an arbitrary number of bytes to be swapped on the heap, which triggers heap corruption."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-189"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2007-4990", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "HIGH", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": true, "userInteractionRequired": false}}, "publishedDate": "2007-10-05T21:17Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:x.org:x_font_server:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "1.0.4"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2018-10-15T21:39Z"}

7.5 /10