[gentoo-announce] [ GLSA 200710-11 ] X Font Server: Multiple Vulnerabilities - gentoo-announce

From:	Pierre-Yves Rofes <py@g.o>
To:	gentoo-announce@l.g.o
Cc:	full-disclosure@××××××××××××××.uk, bugtraq@×××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200710-11 ] X Font Server: Multiple Vulnerabilities
Date:	Fri, 12 Oct 2007 21:53:49
Message-Id:	`470FE787.2020709@gentoo.org`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5

Gentoo Linux Security Advisory                           GLSA 200710-11

6

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

7

                                            http://security.gentoo.org/

8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9

10

  Severity: High

11

     Title: X Font Server: Multiple Vulnerabilities

12

      Date: October 12, 2007

13

      Bugs: #185660, #194606

14

        ID: 200710-11

15

16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

17

18

Synopsis

19

========

20

21

Three vulnerabilities have been discovered in the X Font Server

22

possibly allowing local attackers to gain elevated privileges.

23

24

Background

25

==========

26

27

The X.Org X11 X Font Server provides a standard mechanism for an X

28

server to communicate with a font renderer.

29

30

Affected packages

31

=================

32

33

    -------------------------------------------------------------------

34

     Package       /  Vulnerable  /                         Unaffected

35

    -------------------------------------------------------------------

36

  1  x11-apps/xfs       < 1.0.5                               >= 1.0.5

37

38

Description

39

===========

40

41

iDefense reported that the xfs init script does not correctly handle a

42

race condition when setting permissions of a temporary file

43

(CVE-2007-3103). Sean Larsson discovered an integer overflow

44

vulnerability in the build_range() function possibly leading to a

45

heap-based buffer overflow when handling "QueryXBitmaps" and

46

"QueryXExtents" protocol requests (CVE-2007-4568). Sean Larsson also

47

discovered an error in the swap_char2b() function possibly leading to a

48

heap corruption when handling the same protocol requests

49

(CVE-2007-4990).

50

51

Impact

52

======

53

54

The first issue would allow a local attacker to change permissions of

55

arbitrary files to be world-writable by performing a symlink attack.

56

The second and third issues would allow a local attacker to execute

57

arbitrary code with privileges of the user running the X Font Server,

58

usually xfs.

59

60

Workaround

61

==========

62

63

There is no known workaround at this time.

64

65

Resolution

66

==========

67

68

All X Font Server users should upgrade to the latest version:

69

70

    # emerge --sync

71

    # emerge --ask --oneshot --verbose ">=x11-apps/xfs-1.0.5"

72

73

References

74

==========

75

76

  [ 1 ] CVE-2007-3103

77

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3103

78

  [ 2 ] CVE-2007-4568

79

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4568

80

  [ 3 ] CVE-2007-4990

81

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4990

82

83

Availability

84

============

85

86

This GLSA and any updates to it are available for viewing at

87

the Gentoo Security Website:

88

89

  http://security.gentoo.org/glsa/glsa-200710-11.xml

90

91

Concerns?

92

=========

93

94

Security is a primary focus of Gentoo Linux and ensuring the

95

confidentiality and security of our users machines is of utmost

96

importance to us. Any security concerns should be addressed to

97

security@g.o or alternatively, you may file a bug at

98

http://bugs.gentoo.org.

99

100

License

101

=======

102

103

Copyright 2007 Gentoo Foundation, Inc; referenced text

104

belongs to its owner(s).

105

106

The contents of this document are licensed under the

107

Creative Commons - Attribution / Share Alike license.

108

109

http://creativecommons.org/licenses/by-sa/2.5

110

-----BEGIN PGP SIGNATURE-----

111

Version: GnuPG v1.4.7 (GNU/Linux)

112

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

113

114

iD8DBQFHD+eHuhJ+ozIKI5gRAlcdAJ4t+dNJKPDJFQEte8XCtLiIcjzu1QCfdoaF

115

uFfqllq2K1mtyPSCW+jz6DU=

116

=iwzz

117

-----END PGP SIGNATURE-----

118

--

119

gentoo-announce@g.o mailing list

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5	Gentoo Linux Security Advisory GLSA 200710-11
6	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7	http://security.gentoo.org/
8	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10	Severity: High
11	Title: X Font Server: Multiple Vulnerabilities
12	Date: October 12, 2007
13	Bugs: #185660, #194606
14	ID: 200710-11
15
16	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18	Synopsis
19	========
20
21	Three vulnerabilities have been discovered in the X Font Server
22	possibly allowing local attackers to gain elevated privileges.
23
24	Background
25	==========
26
27	The X.Org X11 X Font Server provides a standard mechanism for an X
28	server to communicate with a font renderer.
29
30	Affected packages
31	=================
32
33	-------------------------------------------------------------------
34	Package / Vulnerable / Unaffected
35	-------------------------------------------------------------------
36	1 x11-apps/xfs < 1.0.5 >= 1.0.5
37
38	Description
39	===========
40
41	iDefense reported that the xfs init script does not correctly handle a
42	race condition when setting permissions of a temporary file
43	(CVE-2007-3103). Sean Larsson discovered an integer overflow
44	vulnerability in the build_range() function possibly leading to a
45	heap-based buffer overflow when handling "QueryXBitmaps" and
46	"QueryXExtents" protocol requests (CVE-2007-4568). Sean Larsson also
47	discovered an error in the swap_char2b() function possibly leading to a
48	heap corruption when handling the same protocol requests
49	(CVE-2007-4990).
50
51	Impact
52	======
53
54	The first issue would allow a local attacker to change permissions of
55	arbitrary files to be world-writable by performing a symlink attack.
56	The second and third issues would allow a local attacker to execute
57	arbitrary code with privileges of the user running the X Font Server,
58	usually xfs.
59
60	Workaround
61	==========
62
63	There is no known workaround at this time.
64
65	Resolution
66	==========
67
68	All X Font Server users should upgrade to the latest version:
69
70	# emerge --sync
71	# emerge --ask --oneshot --verbose ">=x11-apps/xfs-1.0.5"
72
73	References
74	==========
75
76	[ 1 ] CVE-2007-3103
77	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3103
78	[ 2 ] CVE-2007-4568
79	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4568
80	[ 3 ] CVE-2007-4990
81	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4990
82
83	Availability
84	============
85
86	This GLSA and any updates to it are available for viewing at
87	the Gentoo Security Website:
88
89	http://security.gentoo.org/glsa/glsa-200710-11.xml
90
91	Concerns?
92	=========
93
94	Security is a primary focus of Gentoo Linux and ensuring the
95	confidentiality and security of our users machines is of utmost
96	importance to us. Any security concerns should be addressed to
97	security@g.o or alternatively, you may file a bug at
98	http://bugs.gentoo.org.
99
100	License
101	=======
102
103	Copyright 2007 Gentoo Foundation, Inc; referenced text
104	belongs to its owner(s).
105
106	The contents of this document are licensed under the
107	Creative Commons - Attribution / Share Alike license.
108
109	http://creativecommons.org/licenses/by-sa/2.5
110	-----BEGIN PGP SIGNATURE-----
111	Version: GnuPG v1.4.7 (GNU/Linux)
112	Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
113
114	iD8DBQFHD+eHuhJ+ozIKI5gRAlcdAJ4t+dNJKPDJFQEte8XCtLiIcjzu1QCfdoaF
115	uFfqllq2K1mtyPSCW+jz6DU=
116	=iwzz
117	-----END PGP SIGNATURE-----
118	--
119	gentoo-announce@g.o mailing list

Gentoo Archives: gentoo-announce