Vulnerability Name:

CVE-2006-3739 (CCN-28899)

Assigned:2006-09-12
Published:2006-09-12
Updated:2018-10-17
Summary:Integer overflow in the CIDAFM function in X.Org 6.8.2 and XFree86 X server allows local users to execute arbitrary code via crafted Adobe Font Metrics (AFM) files with a modified number of character metrics (StartCharMetrics), which leads to a heap-based buffer overflow.
CVSS v3 Severity:9.3 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:7.2 High (CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
5.3 Medium (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
7.2 High (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
5.3 Medium (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-Other
Vulnerability Consequences:Gain Privileges
References:Source: MITRE
Type: CNA
CVE-2006-3739

Source: CCN
Type: NetBSD-SA2006-021
Integer overflows in CID-keyed font parser

Source: CCN
Type: RHSA-2006-0665
xorg-x11 security update

Source: CCN
Type: RHSA-2006-0666
XFree86 security update

Source: CCN
Type: SA21864
X11 libXfont CID Encoded Fonts Integer Overflows

Source: SECUNIA
Type: UNKNOWN
21864

Source: SECUNIA
Type: UNKNOWN
21889

Source: CCN
Type: SA21890
XFree86 CID Encoded Fonts Integer Overflows

Source: SECUNIA
Type: UNKNOWN
21890

Source: SECUNIA
Type: UNKNOWN
21894

Source: SECUNIA
Type: UNKNOWN
21900

Source: SECUNIA
Type: UNKNOWN
21904

Source: SECUNIA
Type: UNKNOWN
21908

Source: SECUNIA
Type: UNKNOWN
21924

Source: SECUNIA
Type: UNKNOWN
22080

Source: CCN
Type: SA22141
Avaya Modular Messaging X11 libXfont Integer Overflows

Source: SECUNIA
Type: UNKNOWN
22141

Source: SECUNIA
Type: UNKNOWN
22332

Source: CCN
Type: SA22560
Avaya Products XFree86 Integer Overflow Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
22560

Source: SECUNIA
Type: UNKNOWN
23033

Source: CCN
Type: SA23899
Sun Solaris 10 Xorg X Server Integer Overflows

Source: SECUNIA
Type: UNKNOWN
23899

Source: CCN
Type: SA24636
VMware ESX Server Multiple Security Updates

Source: SECUNIA
Type: UNKNOWN
24636

Source: GENTOO
Type: UNKNOWN
GLSA-200609-07

Source: CCN
Type: SECTRACK ID: 1016828
X Buffer Overflow in Processing CID-encoded Type1 Fonts Lets Remote Users Execute Arbitrary Code

Source: SECTRACK
Type: UNKNOWN
1016828

Source: SUNALERT
Type: UNKNOWN
102714

Source: SUNALERT
Type: UNKNOWN
102780

Source: CONFIRM
Type: UNKNOWN
http://support.avaya.com/elmodocs2/security/ASA-2006-190.htm

Source: CCN
Type: ASA-2006-190
xorg-x11 security update (RHSA-2006-0665)

Source: CONFIRM
Type: UNKNOWN
http://support.avaya.com/elmodocs2/security/ASA-2006-191.htm

Source: CCN
Type: ASA-2006-191
XFree86 security update (RHSA-2006-0666)

Source: CCN
Type: ASA-2007-043
Two Integer Overflow Vulnerabilities Found in the Xorg(1) X Server (Sun 102780)

Source: DEBIAN
Type: UNKNOWN
DSA-1193

Source: DEBIAN
Type: DSA-1193
xfree86 -- several vulnerabilities

Source: CCN
Type: GLSA-200609-07
LibXfont, monolithic X.org: Multiple integer overflows

Source: IDEFENSE
Type: Patch, Vendor Advisory
20060912 Multiple Vendor X Server CID-keyed Fonts 'CIDAFM()' Integer Overflow Vulnerability

Source: MANDRIVA
Type: UNKNOWN
MDKSA-2006:164

Source: SUSE
Type: UNKNOWN
SUSE-SR:2006:023

Source: REDHAT
Type: Patch, Vendor Advisory
RHSA-2006:0665

Source: REDHAT
Type: Patch, Vendor Advisory
RHSA-2006:0666

Source: BUGTRAQ
Type: UNKNOWN
20060912 rPSA-2006-0167-1 xorg-x11 xorg-x11-fonts xorg-x11-tools xorg-x11-xfs

Source: BUGTRAQ
Type: UNKNOWN
20070330 VMSA-2007-0002 VMware ESX security updates

Source: BID
Type: UNKNOWN
19974

Source: CCN
Type: BID-19974
X.Org LibXfont CID Font File Multiple Integer Overflow Vulnerabilities

Source: CCN
Type: USN-344-1
X.org vulnerabilities

Source: UBUNTU
Type: UNKNOWN
USN-344-1

Source: CONFIRM
Type: UNKNOWN
http://www.vmware.com/support/esx25/doc/esx-254-200702-patch.html

Source: VUPEN
Type: UNKNOWN
ADV-2006-3581

Source: VUPEN
Type: UNKNOWN
ADV-2006-3582

Source: VUPEN
Type: UNKNOWN
ADV-2007-0322

Source: VUPEN
Type: UNKNOWN
ADV-2007-1171

Source: CCN
Type: X.Org Foundation Web site
X.Org Foundation

Source: CCN
Type: XFree86 Web site
XFree@ Home to the X Window System

Source: XF
Type: UNKNOWN
xorg-server-cidafm-overflow(28899)

Source: XF
Type: UNKNOWN
xorg-server-cidafm-overflow(28899)

Source: CONFIRM
Type: UNKNOWN
https://issues.rpath.com/browse/RPL-614

Source: CCN
Type: iDEFENSE ADVISORY: 09.12.06
Multiple Vendor X Server CID-keyed Fonts 'CIDAFM()' Integer Overflow Vulnerability

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:10305

Source: SUSE
Type: SUSE-SR:2006:023
SUSE Security Summary Report

Vulnerable Configuration:Configuration 1:
  • cpe:/a:x.org:x.org:6.8.2:*:*:*:*:*:*:*
  • OR cpe:/a:xfree86_project:xfree86_x:*:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:4:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*

    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:xfree86:xfree86:3.3.2:*:*:*:*:*:*:*
  • AND
  • cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*
  • OR cpe:/o:netbsd:netbsd:current:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:ws:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::ws:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::as:*:*:*:*:*
  • OR cpe:/o:netbsd:netbsd:2.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::desktop:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:3.1:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux_advanced_workstation:2.1::itanium:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2006:*:*:*:*:*:*:*
  • OR cpe:/o:netbsd:netbsd:2.1:*:*:*:*:*:*:*
  • OR cpe:/o:netbsd:netbsd:2.0.3:*:*:*:*:*:*:*
  • OR cpe:/o:netbsd:netbsd:3.0:*:*:*:*:*:*:*
  • OR cpe:/o:netbsd:netbsd:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/o:netbsd:netbsd:2.0.2:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu:6.06::lts:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2006::x86-64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2007:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2007::x86_64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0::x86_64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0::x86_64:*:*:*:*:*
  • OR cpe:/o:netbsd:netbsd:4.0:beta:*:*:*:*:*:*
  • OR cpe:/o:netbsd:netbsd:3.0.1:*:*:*:*:*:*:*
  • OR cpe:/o:netbsd:netbsd:2.0.4:*:*:*:*:*:*:*
  • OR cpe:/o:netbsd:netbsd:3.0.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20063739
    V
    		CVE-2006-3739
    2017-09-27
    oval:org.mitre.oval:def:10305
    V
    		Integer overflow in the CIDAFM function in X.Org 6.8.2 and XFree86 X server allows local users to execute arbitrary code via crafted Adobe Font Metrics (AFM) files with a modified number of character metrics (StartCharMetrics), which leads to a heap-based buffer overflow.
    2013-04-29
    oval:org.debian:def:1193
    V
    		several vulnerabilities
    2006-10-09
    oval:com.redhat.rhsa:def:20060665
    P
    		RHSA-2006:0665: xorg-x11 security update (Important)
    2006-09-12
    oval:com.redhat.rhsa:def:20060666
    P
    		RHSA-2006:0666: XFree86 security update (Important)
    2006-09-12
    BACK
    x.org x.org 6.8.2
    xfree86_project xfree86 x *
    xfree86 xfree86 3.3.2
    gentoo linux *
    netbsd netbsd current
    redhat enterprise linux 2.1
    redhat enterprise linux 2.1
    redhat enterprise linux 2.1
    redhat enterprise linux 3
    redhat enterprise linux 3
    redhat enterprise linux 3
    netbsd netbsd 2.0
    redhat enterprise linux 3
    mandrakesoft mandrake linux corporate server 3.0
    redhat enterprise linux 4
    redhat enterprise linux 4
    redhat enterprise linux 4
    redhat enterprise linux 4
    debian debian linux 3.1
    redhat linux advanced workstation 2.1
    mandrakesoft mandrake linux 2006
    netbsd netbsd 2.1
    netbsd netbsd 2.0.3
    netbsd netbsd 3.0
    netbsd netbsd 2.0.1
    netbsd netbsd 2.0.2
    canonical ubuntu 6.06
    mandrakesoft mandrake linux 2006
    mandrakesoft mandrake linux 2007
    mandrakesoft mandrake linux 2007
    mandrakesoft mandrake linux corporate server 4.0
    mandrakesoft mandrake linux corporate server 4.0
    mandrakesoft mandrake linux corporate server 3.0
    netbsd netbsd 4.0 beta
    netbsd netbsd 3.0.1
    netbsd netbsd 2.0.4
    netbsd netbsd 3.0.2