CVE-2006-3739
published 2006-09-13CVE-2006-3739: Integer overflow in the CIDAFM function in X.Org 6.8.2 and XFree86 X server allows local users to execute arbitrary code via crafted Adobe Font Metrics (AFM)…
PriorityP427high7.2CVSS 2.0
AVLACLAuNCCICAC
EPSS
0.58%
43.1th percentile
Integer overflow in the CIDAFM function in X.Org 6.8.2 and XFree86 X server allows local users to execute arbitrary code via crafted Adobe Font Metrics (AFM) files with a modified number of character metrics (StartCharMetrics), which leads to a heap-based buffer overflow.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libxfont | < libxfont 1:1.2.2-1 (bookworm) | libxfont 1:1.2.2-1 (bookworm) |
| x.org | libxfont | >= 0 < 1:1.2.2-1 | 1:1.2.2-1 |
| x.org | libxfont | >= 0 < 1:1.2.2-1 | 1:1.2.2-1 |
| x.org | libxfont | >= 0 < 1:1.2.2-1 | 1:1.2.2-1 |
| x.org | libxfont | >= 0 < 1:1.2.2-1 | 1:1.2.2-1 |
| x.org | x.org | — | — |
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.2HIGH
vendor_debian7.2HIGH
vendor_redhat7.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
X.org vulnerabilities
vendor_ubuntu·2006-09-13
CVE-2006-3739 X.org vulnerabilities
Title: X.org vulnerabilities
Summary: X.org vulnerabilities
iDefense security researchers found several integer overflows in
X.org's font handling library. By using a specially crafted Type1 CID
font file, a local user could exploit these to crash the X server or
execute arbitrary code with root privileges.
Instructions: After a standard system upgrade you need to restart your X session to
effect the necessary changes.
Red Hat
security flaw
vendor_redhat·2006-09-12·CVSS 7.2
CVE-2006-3739 [HIGH] security flaw
security flaw
Integer overflow in the CIDAFM function in X.Org 6.8.2 and XFree86 X server allows local users to execute arbitrary code via crafted Adobe Font Metrics (AFM) files with a modified number of character metrics (StartCharMetrics), which leads to a heap-based buffer overflow.
Debian
CVE-2006-3739: libxfont - Integer overflow in the CIDAFM function in X.Org 6.8.2 and XFree86 X server allo...
vendor_debian·2006·CVSS 7.2
CVE-2006-3739 [HIGH] CVE-2006-3739: libxfont - Integer overflow in the CIDAFM function in X.Org 6.8.2 and XFree86 X server allo...
Integer overflow in the CIDAFM function in X.Org 6.8.2 and XFree86 X server allows local users to execute arbitrary code via crafted Adobe Font Metrics (AFM) files with a modified number of character metrics (StartCharMetrics), which leads to a heap-based buffer overflow.
Scope: local
bookworm: resolved (fixed in 1:1.2.2-1)
bullseye: resolved (fixed in 1:1.2.2-1)
forky: resolved (fixed in 1:1.2.2-1)
sid: resolved (fixed in 1:1.2.2-1)
trixie: resolved (fixed in 1:1.2.2-1)
GHSA
GHSA-h3pc-gf82-7xhp: Integer overflow in the CIDAFM function in X
ghsa_unreviewed·2022-05-01
CVE-2006-3739 [HIGH] GHSA-h3pc-gf82-7xhp: Integer overflow in the CIDAFM function in X
Integer overflow in the CIDAFM function in X.Org 6.8.2 and XFree86 X server allows local users to execute arbitrary code via crafted Adobe Font Metrics (AFM) files with a modified number of character metrics (StartCharMetrics), which leads to a heap-based buffer overflow.
OSV
CVE-2006-3739: Integer overflow in the CIDAFM function in X
osv·2006-09-13·CVSS 7.2
CVE-2006-3739 [HIGH] CVE-2006-3739: Integer overflow in the CIDAFM function in X
Integer overflow in the CIDAFM function in X.Org 6.8.2 and XFree86 X server allows local users to execute arbitrary code via crafted Adobe Font Metrics (AFM) files with a modified number of character metrics (StartCharMetrics), which leads to a heap-based buffer overflow.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2006-3739 security flaw
bugzilla·2018-08-16·CVSS 7.2
CVE-2006-3739 [HIGH] CVE-2006-3739 security flaw
CVE-2006-3739 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Integer overflow in the CIDAFM function in X.Org 6.8.2 and XFree86 X server allows local users to execute arbitrary code via crafted Adobe Font Metrics (AFM) files with a modified number of character metrics (StartCharMetrics), which leads to a heap-based buffer overflow.
Bugzilla
CVE-2006-3739 X CID font parser multiple integer overflows (CVE-2006-3740)
bugzilla·2006-09-15·CVSS 7.2
CVE-2006-3739 [HIGH] CVE-2006-3739 X CID font parser multiple integer overflows (CVE-2006-3740)
CVE-2006-3739 X CID font parser multiple integer overflows (CVE-2006-3740)
Fixed in rawhide.
Bugzilla
CVE-2006-3739 X CID font parser multiple integer overflows (CVE-2006-3740)
bugzilla·2006-08-29·CVSS 7.2
CVE-2006-3739 [HIGH] CVE-2006-3739 X CID font parser multiple integer overflows (CVE-2006-3740)
CVE-2006-3739 X CID font parser multiple integer overflows (CVE-2006-3740)
iDefense reported two integer overflow vulnerabilities in X's CID font parser.
This could allow an attacker with access to the xserver to execute arbitrary
code with the same privileges as the X server (root).
Discussion:
Created attachment 135172
Proposed patch from upstream
---
Ping on this. Any ETA on new packages with this fix?
---
Now public at
http://lists.freedesktop.org/archives/xorg/2006-September/018021.html
removing embargo
---
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reo
Bugzilla
CVE-2006-3739 X CID font parser multiple integer overflows (CVE-2006-3740)
bugzilla·2006-08-29·CVSS 7.2
CVE-2006-3739 [HIGH] CVE-2006-3739 X CID font parser multiple integer overflows (CVE-2006-3740)
CVE-2006-3739 X CID font parser multiple integer overflows (CVE-2006-3740)
+++ This bug was initially created as a clone of Bug #204548 +++
iDefense reported two integer overflow vulnerabilities in X's CID font parser.
This could allow an attacker with access to the xserver to execute arbitrary
code with the same privileges as the X server (root).
Discussion:
attachment 135172 is the proposed patch from upstream
---
Ping on this. Any ETA on new packages with this fix?
---
XFree86-4.3.0-113.EL will have the fix (currently building but passed scratch build)
---
This also affects RHEL2 (I didn't note this initially but should have)
---
Just built XFree86-4.1.0-77.EL for RHEL2.
---
Now public at
http://lists.freedesktop.org/archives/xorg/2006-September/018021.html
removing embarg
http://secunia.com/advisories/21864http://secunia.com/advisories/21889http://secunia.com/advisories/21890http://secunia.com/advisories/21894http://secunia.com/advisories/21900http://secunia.com/advisories/21904http://secunia.com/advisories/21908http://secunia.com/advisories/21924http://secunia.com/advisories/22080http://secunia.com/advisories/22141http://secunia.com/advisories/22332http://secunia.com/advisories/22560http://secunia.com/advisories/23033http://secunia.com/advisories/23899http://secunia.com/advisories/24636http://security.gentoo.org/glsa/glsa-200609-07.xmlhttp://securitytracker.com/id?1016828http://sunsolve.sun.com/search/document.do?assetkey=1-26-102714-1http://sunsolve.sun.com/search/document.do?assetkey=1-26-102780-1http://support.avaya.com/elmodocs2/security/ASA-2006-190.htmhttp://support.avaya.com/elmodocs2/security/ASA-2006-191.htmhttp://www.debian.org/security/2006/dsa-1193http://www.idefense.com/intelligence/vulnerabilities/display.php?id=412http://www.mandriva.com/security/advisories?name=MDKSA-2006:164http://www.novell.com/linux/security/advisories/2006_23_sr.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0665.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0666.htmlhttp://www.securityfocus.com/archive/1/445812/100/0/threadedhttp://www.securityfocus.com/archive/1/464268/100/0/threadedhttp://www.securityfocus.com/bid/19974http://www.ubuntu.com/usn/usn-344-1http://www.vmware.com/support/esx25/doc/esx-254-200702-patch.htmlhttp://www.vupen.com/english/advisories/2006/3581http://www.vupen.com/english/advisories/2006/3582http://www.vupen.com/english/advisories/2007/0322http://www.vupen.com/english/advisories/2007/1171https://exchange.xforce.ibmcloud.com/vulnerabilities/28899https://issues.rpath.com/browse/RPL-614https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10305http://secunia.com/advisories/21864http://secunia.com/advisories/21889http://secunia.com/advisories/21890http://secunia.com/advisories/21894http://secunia.com/advisories/21900http://secunia.com/advisories/21904http://secunia.com/advisories/21908http://secunia.com/advisories/21924http://secunia.com/advisories/22080http://secunia.com/advisories/22141http://secunia.com/advisories/22332http://secunia.com/advisories/22560http://secunia.com/advisories/23033http://secunia.com/advisories/23899http://secunia.com/advisories/24636http://security.gentoo.org/glsa/glsa-200609-07.xmlhttp://securitytracker.com/id?1016828http://sunsolve.sun.com/search/document.do?assetkey=1-26-102714-1http://sunsolve.sun.com/search/document.do?assetkey=1-26-102780-1http://support.avaya.com/elmodocs2/security/ASA-2006-190.htmhttp://support.avaya.com/elmodocs2/security/ASA-2006-191.htmhttp://www.debian.org/security/2006/dsa-1193http://www.idefense.com/intelligence/vulnerabilities/display.php?id=412http://www.mandriva.com/security/advisories?name=MDKSA-2006:164http://www.novell.com/linux/security/advisories/2006_23_sr.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0665.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0666.htmlhttp://www.securityfocus.com/archive/1/445812/100/0/threadedhttp://www.securityfocus.com/archive/1/464268/100/0/threadedhttp://www.securityfocus.com/bid/19974http://www.ubuntu.com/usn/usn-344-1http://www.vmware.com/support/esx25/doc/esx-254-200702-patch.htmlhttp://www.vupen.com/english/advisories/2006/3581http://www.vupen.com/english/advisories/2006/3582http://www.vupen.com/english/advisories/2007/0322http://www.vupen.com/english/advisories/2007/1171https://exchange.xforce.ibmcloud.com/vulnerabilities/28899https://issues.rpath.com/browse/RPL-614https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10305
2006-09-13
Published