The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

computer vulnerability bulletin CVE-2007-1003 CVE-2007-1351 CVE-2007-1352

X.Org, FreeType: integer overflows

Synthesis of the vulnerability

A local attacker can exploit overflows in X in order to elevate his privileges.
Vulnerable products: Debian, Fedora, Mandriva Linux, Mandriva NF, NLD, OES, OpenBSD, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SLES, TurboLinux, Unix (platform) ~ not comprehensive, XOrg Bundle ~ not comprehensive, libX11.
Severity of this weakness: 3/4.
Consequences of an attack: administrator access/rights.
Hacker's origin: document.
Number of vulnerabilities in this bulletin: 4.
Creation date: 04/04/2007.
Références of this bulletin: 102886, 102888, 20070501-01-P, 6526191, 6538280, 6538282, 6538286, 6538290, 6539893, 6542279, BID-23283, BID-23284, BID-23300, BID-23402, CERTA-2007-AVI-177, CVE-2007-1003, CVE-2007-1351, CVE-2007-1352, CVE-2007-1667, DSA-1294-1, DSA-1454-1, DSA-1858-1, DSA-1903-1, FEDORA-2007-422, FEDORA-2007-423, FEDORA-2007-424, FEDORA-2007-425, FEDORA-2007-426, FEDORA-2007-427, MDKSA-2007:079, MDKSA-2007:079-1, MDKSA-2007:080, MDKSA-2007:080-1, MDKSA-2007:081, MDKSA-2007:081-1, MDKSA-2007:147, RHSA-2007:0125-01, RHSA-2007:0126-01, RHSA-2007:0127-01, RHSA-2007:0132-01, RHSA-2007:0150-01, RHSA-2007:0157-01, SSA:2007-109-01, SSA:2007-110-01, SUSE-SA:2007:027, SUSE-SR:2007:006, SUSE-SR:2007:008, SUSE-SR:2008:08, TLSA-2007-26, VIGILANCE-VUL-6708.

Description of the vulnerability

A local attacker can exploit overflows in X in order to elevate his privileges.

The XC-MISC extension is activated by default. A malicious client can create an integer overflow in ProcXCMiscGetXIDList(). [severity:3/4; BID-23284, CERTA-2007-AVI-177, CVE-2007-1003]

An attacker can create a BDF font generating an integer overflow in bdfReadCharacters() function of bdfread.c. This vulnerability also affects Freetype. [severity:3/4; BID-23283, CVE-2007-1351]

An attacker can create a font whose fonts.dir field generates an integer overflow in bdfReadCharacters() function. [severity:3/4; BID-23283, CVE-2007-1352]

The XInitImage() function of ImUtils.c does not correctly check its parameters. An attacker can create a malicous image and invite victim to see it with a software such as xwud or ImageMagick to generate an integer overflow. [severity:3/4; BID-23300, CVE-2007-1667]

These integer overflows lead to a denial of service or to code execution.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides systems vulnerabilities bulletins. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.