Vulnerability CVE-2006-3740

Vulnerability Name:

CVE-2006-3740 (CCN-28890)

Assigned:

2006-09-12

Published:

2006-09-12

Updated:

2018-10-17

Summary:

Integer overflow in the scan_cidfont function in X.Org 6.8.2 and XFree86 X server allows local users to execute arbitrary code via crafted (1) CMap and (2) CIDFont font data with modified item counts in the (a) begincodespacerange, (b) cidrange, and (c) notdefrange sections.

CVSS v3 Severity:

8.2 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

7.2 High (CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
5.3 Medium (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

6.8 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C)
5.0 Medium (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

CWE-Other

Vulnerability Consequences:

Gain Privileges

References:

Source: MITRE
Type: CNA
CVE-2006-3740

Source: CCN
Type: RHSA-2006-0665
xorg-x11 security update

Source: CCN
Type: RHSA-2006-0666
XFree86 security update

Source: CCN
Type: SA21864
X11 libXfont CID Encoded Fonts Integer Overflows

Source: SECUNIA
Type: UNKNOWN
21864

Source: SECUNIA
Type: UNKNOWN
21889

Source: CCN
Type: SA21890
XFree86 CID Encoded Fonts Integer Overflows

Source: SECUNIA
Type: UNKNOWN
21890

Source: SECUNIA
Type: UNKNOWN
21894

Source: SECUNIA
Type: UNKNOWN
21900

Source: SECUNIA
Type: UNKNOWN
21904

Source: SECUNIA
Type: UNKNOWN
21908

Source: SECUNIA
Type: UNKNOWN
21924

Source: SECUNIA
Type: UNKNOWN
22080

Source: CCN
Type: SA22141
Avaya Modular Messaging X11 libXfont Integer Overflows

Source: SECUNIA
Type: UNKNOWN
22141

Source: SECUNIA
Type: UNKNOWN
22332

Source: CCN
Type: SA22560
Avaya Products XFree86 Integer Overflow Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
22560

Source: SECUNIA
Type: UNKNOWN
23033

Source: CCN
Type: SA23899
Sun Solaris 10 Xorg X Server Integer Overflows

Source: SECUNIA
Type: UNKNOWN
23899

Source: CCN
Type: SA23907
Sun Solaris 9 Xorg X Server Integer Overflows

Source: SECUNIA
Type: UNKNOWN
23907

Source: CCN
Type: SA24636
VMware ESX Server Multiple Security Updates

Source: SECUNIA
Type: UNKNOWN
24636

Source: GENTOO
Type: UNKNOWN
GLSA-200609-07

Source: CCN
Type: SECTRACK ID: 1016828
X Buffer Overflow in Processing CID-encoded Type1 Fonts Lets Remote Users Execute Arbitrary Code

Source: SECTRACK
Type: UNKNOWN
1016828

Source: SUNALERT
Type: UNKNOWN
102780

Source: CONFIRM
Type: UNKNOWN
http://support.avaya.com/elmodocs2/security/ASA-2006-190.htm

Source: CCN
Type: ASA-2006-190
xorg-x11 security update (RHSA-2006-0665)

Source: CONFIRM
Type: UNKNOWN
http://support.avaya.com/elmodocs2/security/ASA-2006-191.htm

Source: CCN
Type: ASA-2006-191
XFree86 security update (RHSA-2006-0666)

Source: CCN
Type: ASA-2007-043
Two Integer Overflow Vulnerabilities Found in the Xorg(1) X Server (Sun 102780)

Source: DEBIAN
Type: UNKNOWN
DSA-1193

Source: DEBIAN
Type: DSA-1193
xfree86 -- several vulnerabilities

Source: CCN
Type: GLSA-200609-07
LibXfont, monolithic X.org: Multiple integer overflows

Source: IDEFENSE
Type: Patch, Vendor Advisory
20060912 Multiple Vendor X Server CID-keyed Fonts 'scan_cidfont()' Integer Overflow Vulnerability

Source: MANDRIVA
Type: UNKNOWN
MDKSA-2006:164

Source: SUSE
Type: UNKNOWN
SUSE-SR:2006:023

Source: REDHAT
Type: Patch, Vendor Advisory
RHSA-2006:0665

Source: REDHAT
Type: Patch, Vendor Advisory
RHSA-2006:0666

Source: BUGTRAQ
Type: UNKNOWN
20060912 rPSA-2006-0167-1 xorg-x11 xorg-x11-fonts xorg-x11-tools xorg-x11-xfs

Source: BUGTRAQ
Type: UNKNOWN
20070330 VMSA-2007-0002 VMware ESX security updates

Source: BID
Type: UNKNOWN
19974

Source: CCN
Type: BID-19974
X.Org LibXfont CID Font File Multiple Integer Overflow Vulnerabilities

Source: CCN
Type: USN-344-1
X.org vulnerabilities

Source: UBUNTU
Type: UNKNOWN
USN-344-1

Source: CONFIRM
Type: UNKNOWN
http://www.vmware.com/support/esx25/doc/esx-254-200702-patch.html

Source: VUPEN
Type: UNKNOWN
ADV-2006-3581

Source: VUPEN
Type: UNKNOWN
ADV-2006-3582

Source: VUPEN
Type: UNKNOWN
ADV-2007-0322

Source: VUPEN
Type: UNKNOWN
ADV-2007-1171

Source: CCN
Type: X.Org Foundation Web site
X.Org Foundation

Source: CCN
Type: XFree86 Web site
XFree@ Home to the X Window System

Source: XF
Type: UNKNOWN
xorg-server-scancidfont-overflow(28890)

Source: XF
Type: UNKNOWN
xorg-server-scancidfont-overflow(28890)

Source: CONFIRM
Type: UNKNOWN
https://issues.rpath.com/browse/RPL-614

Source: CCN
Type: iDEFENSE ADVISORY: 09.12.06
Multiple Vendor X Server CID-keyed Fonts 'scan_cidfont()' Integer Overflow Vulnerability

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:9454

Source: SUSE
Type: SUSE-SR:2006:023
SUSE Security Summary Report

Vulnerable Configuration:

Configuration 1:

cpe:/a:x.org:x.org:6.8.2:*:*:*:*:*:*:*

OR cpe:/a:xfree86_project:xfree86_x:*:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:4:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*

Configuration CCN 1:

cpe:/a:xfree86:xfree86:3.3.2:*:*:*:*:*:*:*

AND

cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:2.1:*:es:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:2.1:*:ws:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:3::ws:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:3::es:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:3::as:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:3::desktop:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*

OR cpe:/o:debian:debian_linux:3.1:*:*:*:*:*:*:*

OR cpe:/o:redhat:linux_advanced_workstation:2.1::itanium:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2006:*:*:*:*:*:*:*

OR cpe:/o:canonical:ubuntu:6.06::lts:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2006::x86-64:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2007:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2007::x86_64:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0::x86_64:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0::x86_64:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20063740	V	CVE-2006-3740	2017-09-27
oval:org.mitre.oval:def:9454	V	Integer overflow in the scan_cidfont function in X.Org 6.8.2 and XFree86 X server allows local users to execute arbitrary code via crafted (1) CMap and (2) CIDFont font data with modified item counts in the (a) begincodespacerange, (b) cidrange, and (c) notdefrange sections.	2013-04-29
oval:org.debian:def:1193	V	several vulnerabilities	2006-10-09
oval:com.redhat.rhsa:def:20060665	P	RHSA-2006:0665: xorg-x11 security update (Important)	2006-09-12
oval:com.redhat.rhsa:def:20060666	P	RHSA-2006:0666: XFree86 security update (Important)	2006-09-12

BACK