Vulnerability Name:

CVE-2007-4990 (CCN-36920)

Assigned:2007-10-02
Published:2007-10-02
Updated:2018-10-15
Summary:The swap_char2b function in X.Org X Font Server (xfs) before 1.0.5 allows context-dependent attackers to execute arbitrary code via (1) QueryXBitmaps and (2) QueryXExtents protocol requests with crafted size values that specify an arbitrary number of bytes to be swapped on the heap, which triggers heap corruption.
CVSS v3 Severity:5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P)
3.4 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-189
CWE-122
Vulnerability Consequences:Gain Access
References:Source: CONFIRM
Type: UNKNOWN
http://bugs.freedesktop.org/show_bug.cgi?id=12299

Source: CONFIRM
Type: UNKNOWN
http://bugs.gentoo.org/show_bug.cgi?id=194606

Source: MITRE
Type: CNA
CVE-2007-4990

Source: CONFIRM
Type: UNKNOWN
http://docs.info.apple.com/article.html?artnum=307562

Source: HP
Type: UNKNOWN
HPSBUX02303

Source: IDEFENSE
Type: UNKNOWN
20071002 Multiple Vendor X Font Server Multiple Vulnerabilities

Source: APPLE
Type: UNKNOWN
APPLE-SA-2008-03-18

Source: MLIST
Type: UNKNOWN
[xorg-announce] 20071002 [ANNOUNCE] X.Org security advisory: multiple vulnerabilities in X font server

Source: CCN
Type: RHSA-2008-0029
Important: XFree86 security update

Source: CCN
Type: RHSA-2008-0030
Important: xorg-x11 security update

Source: CCN
Type: SA27040
X.Org X11 X Font Server Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
27040

Source: SECUNIA
Type: UNKNOWN
27052

Source: CCN
Type: SA27060
XFree86 X Font Server Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
27060

Source: CCN
Type: SA27176
Sun Solaris X Font Server Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
27176

Source: SECUNIA
Type: UNKNOWN
27228

Source: SECUNIA
Type: UNKNOWN
27240

Source: SECUNIA
Type: UNKNOWN
27560

Source: SECUNIA
Type: UNKNOWN
28004

Source: SECUNIA
Type: UNKNOWN
28514

Source: SECUNIA
Type: UNKNOWN
28536

Source: SECUNIA
Type: UNKNOWN
28542

Source: CCN
Type: SA29420
Mac OS X Security Update Fixes Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
29420

Source: GENTOO
Type: UNKNOWN
GLSA-200710-11

Source: CCN
Type: SECTRACK ID: 1018763
X Font Server Overflows in QueryXBitmaps and QueryXExtents Requests Let Remote Users Execute Arbitrary Code

Source: CCN
Type: Sun Alert ID: 103114
Multiple Security Issues Within The X Font Server (xfs(1)) QueryXBitmaps and QueryXExtents Protocol Handlers

Source: SUNALERT
Type: UNKNOWN
103114

Source: SUNALERT
Type: UNKNOWN
200642

Source: CCN
Type: ASA-2007-444
Multiple Security Issues Within The X Font Server (xfs(1)) QueryXBitmaps and QueryXExtents Protocol Handlers (Sun 103114)

Source: CCN
Type: ASA-2008-035
XFree86 security update (RHSA-2008-0029)

Source: CCN
Type: ASA-2008-036
xorg-x11 security update (RHSA-2008-0030)

Source: CCN
Type: ASA-2008-051
HP-UX Running X Font Server(xfs) Software Remote Execution of Arbitrary Code (HPSBUX02303)

Source: CCN
Type: GLSA-200710-11
X Font Server: Multiple Vulnerabilities

Source: MANDRIVA
Type: UNKNOWN
MDKSA-2007:210

Source: SUSE
Type: UNKNOWN
SUSE-SA:2007:054

Source: REDHAT
Type: UNKNOWN
RHSA-2008:0029

Source: REDHAT
Type: UNKNOWN
RHSA-2008:0030

Source: BUGTRAQ
Type: UNKNOWN
20071003 rPSA-2007-0205-1 xorg-x11 xorg-x11-fonts xorg-x11-tools xorg-x11-xfs

Source: BID
Type: UNKNOWN
25898

Source: CCN
Type: BID-25898
X.Org X Font Server Multiple Memory Corruption Vulnerabilities

Source: SECTRACK
Type: UNKNOWN
1018763

Source: VUPEN
Type: UNKNOWN
ADV-2007-3337

Source: VUPEN
Type: UNKNOWN
ADV-2007-3338

Source: VUPEN
Type: UNKNOWN
ADV-2007-3467

Source: VUPEN
Type: UNKNOWN
ADV-2008-0149

Source: VUPEN
Type: UNKNOWN
ADV-2008-0924

Source: CCN
Type: X.Org Foundation Web site
X.Org Wiki - Home

Source: XF
Type: UNKNOWN
xfs-queryxbitmaps-queryxextents-bo(36920)

Source: XF
Type: UNKNOWN
xfs-queryxbitmaps-queryxextents-bo(36920)

Source: CONFIRM
Type: UNKNOWN
https://issues.rpath.com/browse/RPL-1756

Source: CCN
Type: iDefense PUBLIC ADVISORY: 10.02.07
Multiple Vendor X Font Server Multiple Vulnerabilities

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:11599

Source: FEDORA
Type: UNKNOWN
FEDORA-2007-4263

Source: SUSE
Type: SUSE-SA:2007:054
Xorg security problems

Vulnerable Configuration:Configuration 1:
  • cpe:/a:x.org:x_font_server:*:*:*:*:*:*:*:* (Version <= 1.0.4)

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:4:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*

    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20074990
    V
    		CVE-2007-4990
    2015-11-16
    oval:org.mitre.oval:def:11599
    V
    		The swap_char2b function in X.Org X Font Server (xfs) before 1.0.5 allows context-dependent attackers to execute arbitrary code via (1) QueryXBitmaps and (2) QueryXExtents protocol requests with crafted size values that specify an arbitrary number of bytes to be swapped on the heap, which triggers heap corruption.
    2013-04-29
    oval:com.redhat.rhsa:def:20080029
    P
    		RHSA-2008:0029: XFree86 security update (Important)
    2008-03-20
    oval:com.redhat.rhsa:def:20080030
    P
    		RHSA-2008:0030: xorg-x11 security update (Important)
    2008-03-20
    BACK
    x.org x font server *