X.Org LibXFont Multiple Local Integer Overflow Vulnerabilities
BID:23283
Info
X.Org LibXFont Multiple Local Integer Overflow Vulnerabilities
| Bugtraq ID: | 23283 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2007-1351 CVE-2007-1352 |
| Remote: | No |
| Local: | Yes |
| Published: | Apr 03 2007 12:00AM |
| Updated: | May 09 2008 06:15PM |
| Credit: | These issues were disclosed by iDefense. |
| Vulnerable: |
XFree86 X11R6 4.3 .0.2 XFree86 X11R6 4.3 .0.1 XFree86 X11R6 4.3 .0 X.org LibXfont 1.2.2 Ubuntu Ubuntu Linux 5.10 sparc Ubuntu Ubuntu Linux 5.10 powerpc Ubuntu Ubuntu Linux 5.10 i386 Ubuntu Ubuntu Linux 5.10 amd64 Ubuntu Ubuntu Linux 6.10 sparc Ubuntu Ubuntu Linux 6.10 powerpc Ubuntu Ubuntu Linux 6.10 i386 Ubuntu Ubuntu Linux 6.10 amd64 Ubuntu Ubuntu Linux 6.06 LTS sparc Ubuntu Ubuntu Linux 6.06 LTS powerpc Ubuntu Ubuntu Linux 6.06 LTS i386 Ubuntu Ubuntu Linux 6.06 LTS amd64 Turbolinux wizpy 0 Turbolinux Turbolinux Server 10.0 Turbolinux Turbolinux Server 10.0.0 x64 Turbolinux Turbolinux Desktop 10.0 Turbolinux Turbolinux FUJI Turbolinux Turbolinux 10 F... TurboLinux Personal TurboLinux Multimedia Turbolinux Home Turbolinux FUJI 0 Trustix Secure Linux 3.0.5 Trustix Secure Linux 3.0 Trustix Secure Linux 2.2 TransSoft Broker FTP Server 8.0 SuSE SUSE Linux Enterprise Server SDK 9 SuSE SUSE Linux Enterprise Server 9 SP3 SuSE SUSE Linux Enterprise Server 8 SuSE SUSE Linux Enterprise Server 10 SuSE SUSE Linux Enterprise SDK 9 SuSE SUSE Linux Enterprise SDK 10 SuSE SUSE Linux Enterprise SDK 10 SuSE Suse Linux Enterprise Desktop 10 SuSE Linux Openexchange Server SuSE Linux Enterprise Server 9-SP3 SuSE Linux Enterprise Server 9 SuSE Linux Enterprise Server 10 SuSE Linux Desktop 1.0 SuSE Linux Desktop 10 SuSE Linux 9.3 x86-64 SuSE Linux 9.3 x86 SuSE Linux 10.1 x86-64 SuSE Linux 10.1 x86 SuSE Linux 10.1 ppc SuSE Linux 10.0 x86-64 SuSE Linux 10.0 x86 SuSE Linux 10.0 ppc Sun Solaris 9_x86 Sun Solaris 9 Sun Solaris 8_x86 Sun Solaris 8_sparc Sun Solaris 10.0_x86 Sun Solaris 10.0 Slackware Linux 10.2 Slackware Linux 10.1 Slackware Linux 11.0 SGI ProPack 3.0 SP6 S.u.S.E. UnitedLinux 1.0 S.u.S.E. SuSE Linux School Server for i386 S.u.S.E. SUSE LINUX Retail Solution 8.0 S.u.S.E. SuSE Linux Openexchange Server 4.0 S.u.S.E. SuSE Linux Open-Xchange 4.1 S.u.S.E. SUSE CORE 9 for x86 S.u.S.E. openSUSE 10.2 S.u.S.E. Open-Enterprise-Server 9.0 S.u.S.E. Open-Enterprise-Server 1 S.u.S.E. Open-Enterprise-Server 0 S.u.S.E. Office Server S.u.S.E. Novell Linux POS 9 S.u.S.E. Novell Linux Desktop 9.0 S.u.S.E. Novell Linux Desktop 1.0 S.u.S.E. Novell Linux Desktop 9 S.u.S.E. Linux Professional 10.0 OSS S.u.S.E. Linux Professional 10.0 S.u.S.E. Linux Professional 10.2 X86 64 S.u.S.E. Linux Professional 10.2 S.u.S.E. Linux Professional 10.1 S.u.S.E. Linux Personal 10.0 OSS S.u.S.E. Linux Personal 10.2 X86 64 S.u.S.E. Linux Personal 10.2 S.u.S.E. Linux Personal 10.1 S.u.S.E. Linux Office Server S.u.S.E. Linux Enterprise Server for S/390 9.0 S.u.S.E. Linux Enterprise Server for S/390 S.u.S.E. Linux Database Server 0 S.u.S.E. Linux Connectivity Server rPath rPath Linux 1 Redhat Enterprise Linux WS 4 Redhat Enterprise Linux WS 3 Redhat Enterprise Linux WS 2.1 IA64 Redhat Enterprise Linux WS 2.1 Redhat Enterprise Linux ES 4 Redhat Enterprise Linux ES 3 Redhat Enterprise Linux ES 2.1 IA64 Redhat Enterprise Linux ES 2.1 Redhat Enterprise Linux Desktop Workstation 5 client Redhat Enterprise Linux Desktop 5 client Redhat Enterprise Linux AS 4 Redhat Enterprise Linux AS 3 Redhat Enterprise Linux AS 2.1 IA64 Redhat Enterprise Linux AS 2.1 Redhat Enterprise Linux 5 Server Redhat Desktop 4.0 Redhat Desktop 3.0 Redhat Advanced Workstation for the Itanium Processor 2.1 IA64 Redhat Advanced Workstation for the Itanium Processor 2.1 Pardus Linux 2007.1 OpenBSD OpenBSD 4.0 OpenBSD OpenBSD 3.9 Mandriva Linux Mandrake 2007.1 x86_64 Mandriva Linux Mandrake 2007.1 Mandriva Linux Mandrake 2007.0 x86_64 Mandriva Linux Mandrake 2007.0 MandrakeSoft Multi Network Firewall 2.0 MandrakeSoft Corporate Server 4.0 x86_64 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0 MandrakeSoft Corporate Server 4.0 Linux Terminal Server Project Linux Terminal Server Project 4.2 Gentoo Linux FreeType FreeType 2.2.10 FreeType FreeType 2.2.1 FreeType FreeType 2.1.10 FreeType FreeType 2.1.9 FreeType FreeType 2.1.7 FreeType FreeType 2.0.9 FreeType FreeType 2.0.6 FreeType FreeType 2.2 Debian Linux 3.1 sparc Debian Linux 3.1 s/390 Debian Linux 3.1 ppc Debian Linux 3.1 mipsel Debian Linux 3.1 mips Debian Linux 3.1 m68k Debian Linux 3.1 ia-64 Debian Linux 3.1 ia-32 Debian Linux 3.1 hppa Debian Linux 3.1 arm Debian Linux 3.1 amd64 Debian Linux 3.1 alpha Debian Linux 3.1 Debian Linux 4.0 sparc Debian Linux 4.0 s/390 Debian Linux 4.0 powerpc Debian Linux 4.0 mipsel Debian Linux 4.0 mips Debian Linux 4.0 m68k Debian Linux 4.0 ia-64 Debian Linux 4.0 ia-32 Debian Linux 4.0 hppa Debian Linux 4.0 arm Debian Linux 4.0 amd64 Debian Linux 4.0 alpha Debian Linux 4.0 Avaya Messaging Storage Server MSS 3.0 Avaya Messaging Storage Server MM3.0 Avaya Messaging Storage Server 2.0 Avaya Messaging Storage Server 1.0 Avaya Messaging Storage Server Avaya Message Networking MN 3.1 Avaya Message Networking Avaya Intuity LX 2.0 Avaya Intuity LX Avaya Interactive Response 2.0 Avaya Integrated Management 2.1 Avaya Integrated Management Avaya EMMC 0 Avaya CVLAN Avaya Communication Manager 2.0.1 Avaya Communication Manager 2.0 Avaya Communication Manager 3.0 Avaya CMS Server 13.0 Avaya CMS Server 12.0 Avaya CMS Server 11.0 Avaya CMS Server 9.0 Avaya CMS Server 14.0 Avaya CMS Server 13.1 Apple Safari 3.0.3 Beta for Windows Apple Safari 3.0.2 Beta for Windows Apple Safari 3.0.1 Beta for Windows Apple Safari 3 Beta for Windows |
| Not Vulnerable: |
Linux Terminal Server Project Linux Terminal Server Project 5.0 Avaya Communication Manager 4.0 Avaya Communication Manager 3.1 Apple Safari 3.0.4 Beta for Windows |
Discussion
X.Org LibXFont Multiple Local Integer Overflow Vulnerabilities
The 'libXfont' library is prone to multiple local integer-overflow vulnerabilities because it fails to adequately bounds-check user-supplied data.
An attacker can exploit these vulnerabilities to execute arbitrary code with superuser privileges. Failed exploit attempts will likely cause denial-of-service conditions.
These issues affect libXfont 1.2.2; other versions may also be vulnerable.
The 'libXfont' library is prone to multiple local integer-overflow vulnerabilities because it fails to adequately bounds-check user-supplied data.
An attacker can exploit these vulnerabilities to execute arbitrary code with superuser privileges. Failed exploit attempts will likely cause denial-of-service conditions.
These issues affect libXfont 1.2.2; other versions may also be vulnerable.
Exploit / POC
X.Org LibXFont Multiple Local Integer Overflow Vulnerabilities
Currently we are not aware of any exploits for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Currently we are not aware of any exploits for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution / Fix
X.Org LibXFont Multiple Local Integer Overflow Vulnerabilities
Solution:
Please see the referenced advisories for more information.
OpenBSD OpenBSD 3.9
Sun Solaris 8_sparc
Turbolinux wizpy 0
FreeType FreeType 2.1.7
Solution:
Please see the referenced advisories for more information.
OpenBSD OpenBSD 3.9
-
OpenBSD 021_xorg.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/021_xorg.patch
Sun Solaris 8_sparc
-
Sun 119067-07
http://sunsolve.sun.com/patches/ -
Sun 124420-02
libfreetype
http://sunsolve.sun.com/patches/
Turbolinux wizpy 0
-
Turbolinux xorg-x11-100dpi-fonts-6.8.2-49.i686.rpm
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/ -
Turbolinux xorg-x11-6.8.2-49.i386.rpm
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/ -
Turbolinux xorg-x11-6.8.2-49.i686.rpm
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/ -
Turbolinux xorg-x11-75dpi-fonts-6.8.2-49.i386.rpm
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/ -
Turbolinux xorg-x11-75dpi-fonts-6.8.2-49.i686.rpm
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/ -
Turbolinux xorg-x11-contrib-6.8.2-49.i686.rpm
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/ -
Turbolinux xorg-x11-cyrillic-fonts-6.8.2-49.i686.rpm
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/ -
Turbolinux xorg-x11-devel-6.8.2-49.i686.rpm
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/ -
Turbolinux xorg-x11-fonts-6.8.2-49.i386.rpm
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/ -
Turbolinux xorg-x11-fonts-6.8.2-49.i686.rpm
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/ -
Turbolinux xorg-x11-libs-6.8.2-49.i386.rpm
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/ -
Turbolinux xorg-x11-libs-6.8.2-49.i686.rpm
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/ -
Turbolinux xorg-x11-twm-6.8.2-49.i686.rpm
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/ -
Turbolinux xorg-x11-xcursor-6.8.2-49.i386.rpm
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/ -
Turbolinux xorg-x11-xcursor-6.8.2-49.i686.rpm
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/ -
Turbolinux xorg-x11-xcursor-devel-6.8.2-49.i686.rpm
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/ -
Turbolinux xorg-x11-xf86config-6.8.2-49.i686.rpm
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/ -
Turbolinux xorg-x11-xfs-6.8.2-49.i686.rpm
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/ -
Turbolinux xorg-x11-xft-6.8.2-49.i386.rpm
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/ -
Turbolinux xorg-x11-xft-6.8.2-49.i686.rpm
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/ -
Turbolinux xorg-x11-xft-devel-6.8.2-49.i686.rpm
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/ -
Turbolinux xorg-x11-Xvfb-6.8.2-49.i686.rpm
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/
FreeType FreeType 2.1.7
-
Ubuntu freetype2-demos_2.1.7-2.4ubuntu1.3_powerpc.deb
Ubuntu 5.10:
http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/freetype2-d emos_2.1.7-2.4ubuntu1.3_powerpc.deb -
Ubuntu freetype2-demos_2.1.7-2.4ubuntu1.3_sparc.deb
Ubuntu 5.10:
http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/freetype2-d emos_2.1.7-2.4ubuntu1.3_sparc.deb -
Ubuntu libfreetype6-dev_2.1.7-2.4ubuntu1.3_powerpc.deb
Ubuntu 5.10:
http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6-de v_2.1.7-2.4ubuntu1.3_powerpc.deb -
Ubuntu libfreetype6-dev_2.1.7-2.4ubuntu1.3_sparc.deb
Ubuntu 5.10:
http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6-de v_2.1.7-2.4ubuntu1.3_sparc.deb -
Ubuntu libfreetype6-udeb_2.1.7-2.4ubuntu1.3_powerpc.udeb
Ubuntu 5.10:
http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/libfreetype 6-udeb_2.1.7-2.4ubuntu1.3_powerpc.udeb -
Ubuntu libfreetype6-udeb_2.1.7-2.4ubuntu1.3_sparc.udeb
Ubuntu 5.10:
http://security.ubuntu.com/ubuntu/pool/universe/f/freetype/libfreetype 6-udeb_2.1.7-2.4ubuntu1.3_sparc.udeb -
Ubuntu libfreetype6_2.1.7-2.4ubuntu1.3_powerpc.deb
Ubuntu 5.10:
http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6_2. 1.7-2.4ubuntu1.3_powerpc.deb -
Ubuntu libfreetype6_2.1.7-2.4ubuntu1.3_sparc.deb
Ubuntu 5.10:
http://security.ubuntu.com/ubuntu/pool/main/f/freetype/libfreetype6_2. 1.7-2.4ubuntu1.3_sparc.deb -
Ubuntu libxfont-dev_0.99.0+cvs.20050909-1.3_sparc.deb
Ubuntu 5.10:
http://security.ubuntu.com/ubuntu/pool/main/libx/libxfont/libxfont-dev _0.99.0+cvs.20050909-1.3_sparc.deb
References
X.Org LibXFont Multiple Local Integer Overflow Vulnerabilities
References:
References:
- ASA-2007-178 - Multiple vulnerabilities in libfreetype, Xsun(1)sand Xorg(1) (Sun (Avaya)
- Bugzilla Bug 234058: CVE-2007-1351 Multiple font integer overflows (CVE-2007-135 (Red Hat)
- Safari 3 Download Page (Apple)
- X.Org Home Page (X.Org)
- [ GLSA 200805-07 ] Linux Terminal Server Project: Multiple vulnerabilities (Robert Buchholz
) - iDefense Security Advisory 04.03.07: Multiple Vendor X Server BDF Font Parsing I (iDefense)
- iDefense Security Advisory 04.03.07: Multiple Vendor X Server fonts.dir File Par (iDefense)
- New php5 packages fix several vulnerabilities (Debian)
- 011: SECURITY FIX: April 4, 2007 (OpenBSD)
- 021: SECURITY FIX: April 4, 2007 (OpenBSD)
- ASA-2007-141 xorg-x11 security update (RHSA-2007-0126) (Avaya)
- ASA-2007-167 XFree86 security update (RHSA-2007-0125) (Avaya)
- Avaya Security Advisory ASA-2007-193 (Avaya)
- Debian Linux Security Advisory DSA-1294-1 (Debian)
- Multiple Vendor X Server BDF Font Parsing Integer Overflow Vulnerability (iDefense)
- Multiple Vendor X Server fonts.dir File Parsing Integer Overflow Vulnerability (iDefense Labs)
- RHSA-2007:0125-3 XFree86 security update (Red Hat)
- RHSA-2007:0126-3 xorg-x11 security update (Red Hat)
- RHSA-2007:0132-3 libXfont security update (Red Hat)
- RHSA-2007:0150-2 freetype security update (Red Hat)
- Sun Alert ID: 102886 Multiple vulnerabilities in libfreetype, Xsun(1) and Xorg(1 (Sun Microsystems)