CVE-2006-3740
published 2006-09-13CVE-2006-3740: Integer overflow in the scan_cidfont function in X.Org 6.8.2 and XFree86 X server allows local users to execute arbitrary code via crafted (1) CMap and (2)…
PriorityP427high7.2CVSS 2.0
AVLACLAuNCCICAC
EPSS
0.50%
39.2th percentile
Integer overflow in the scan_cidfont function in X.Org 6.8.2 and XFree86 X server allows local users to execute arbitrary code via crafted (1) CMap and (2) CIDFont font data with modified item counts in the (a) begincodespacerange, (b) cidrange, and (c) notdefrange sections.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libxfont | < libxfont 1:1.2.2-1 (bookworm) | libxfont 1:1.2.2-1 (bookworm) |
| x.org | libxfont | >= 0 < 1:1.2.2-1 | 1:1.2.2-1 |
| x.org | libxfont | >= 0 < 1:1.2.2-1 | 1:1.2.2-1 |
| x.org | libxfont | >= 0 < 1:1.2.2-1 | 1:1.2.2-1 |
| x.org | libxfont | >= 0 < 1:1.2.2-1 | 1:1.2.2-1 |
| x.org | x.org | — | — |
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.2HIGH
vendor_debian7.2HIGH
vendor_redhat7.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
X.org vulnerabilities
vendor_ubuntu·2006-09-13
CVE-2006-3739 X.org vulnerabilities
Title: X.org vulnerabilities
Summary: X.org vulnerabilities
iDefense security researchers found several integer overflows in
X.org's font handling library. By using a specially crafted Type1 CID
font file, a local user could exploit these to crash the X server or
execute arbitrary code with root privileges.
Instructions: After a standard system upgrade you need to restart your X session to
effect the necessary changes.
Red Hat
security flaw
vendor_redhat·2006-09-12·CVSS 7.2
CVE-2006-3740 [HIGH] security flaw
security flaw
Integer overflow in the scan_cidfont function in X.Org 6.8.2 and XFree86 X server allows local users to execute arbitrary code via crafted (1) CMap and (2) CIDFont font data with modified item counts in the (a) begincodespacerange, (b) cidrange, and (c) notdefrange sections.
Debian
CVE-2006-3740: libxfont - Integer overflow in the scan_cidfont function in X.Org 6.8.2 and XFree86 X serve...
vendor_debian·2006·CVSS 7.2
CVE-2006-3740 [HIGH] CVE-2006-3740: libxfont - Integer overflow in the scan_cidfont function in X.Org 6.8.2 and XFree86 X serve...
Integer overflow in the scan_cidfont function in X.Org 6.8.2 and XFree86 X server allows local users to execute arbitrary code via crafted (1) CMap and (2) CIDFont font data with modified item counts in the (a) begincodespacerange, (b) cidrange, and (c) notdefrange sections.
Scope: local
bookworm: resolved (fixed in 1:1.2.2-1)
bullseye: resolved (fixed in 1:1.2.2-1)
forky: resolved (fixed in 1:1.2.2-1)
sid: resolved (fixed in 1:1.2.2-1)
trixie: resolved (fixed in 1:1.2.2-1)
GHSA
GHSA-gpr2-3wwv-wvmr: Integer overflow in the scan_cidfont function in X
ghsa_unreviewed·2022-05-01
CVE-2006-3740 [HIGH] GHSA-gpr2-3wwv-wvmr: Integer overflow in the scan_cidfont function in X
Integer overflow in the scan_cidfont function in X.Org 6.8.2 and XFree86 X server allows local users to execute arbitrary code via crafted (1) CMap and (2) CIDFont font data with modified item counts in the (a) begincodespacerange, (b) cidrange, and (c) notdefrange sections.
OSV
CVE-2006-3740: Integer overflow in the scan_cidfont function in X
osv·2006-09-13·CVSS 7.2
CVE-2006-3740 [HIGH] CVE-2006-3740: Integer overflow in the scan_cidfont function in X
Integer overflow in the scan_cidfont function in X.Org 6.8.2 and XFree86 X server allows local users to execute arbitrary code via crafted (1) CMap and (2) CIDFont font data with modified item counts in the (a) begincodespacerange, (b) cidrange, and (c) notdefrange sections.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2006-3740 security flaw
bugzilla·2018-08-16·CVSS 7.2
CVE-2006-3740 [HIGH] CVE-2006-3740 security flaw
CVE-2006-3740 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Integer overflow in the scan_cidfont function in X.Org 6.8.2 and XFree86 X server allows local users to execute arbitrary code via crafted (1) CMap and (2) CIDFont font data with modified item counts in the (a) begincodespacerange, (b) cidrange, and (c) notdefrange sections.
Bugzilla
CVE-2006-3739 X CID font parser multiple integer overflows (CVE-2006-3740)
bugzilla·2006-09-15·CVSS 7.2
CVE-2006-3739 [HIGH] CVE-2006-3739 X CID font parser multiple integer overflows (CVE-2006-3740)
CVE-2006-3739 X CID font parser multiple integer overflows (CVE-2006-3740)
Fixed in rawhide.
Bugzilla
CVE-2006-3739 X CID font parser multiple integer overflows (CVE-2006-3740)
bugzilla·2006-08-29·CVSS 7.2
CVE-2006-3739 [HIGH] CVE-2006-3739 X CID font parser multiple integer overflows (CVE-2006-3740)
CVE-2006-3739 X CID font parser multiple integer overflows (CVE-2006-3740)
iDefense reported two integer overflow vulnerabilities in X's CID font parser.
This could allow an attacker with access to the xserver to execute arbitrary
code with the same privileges as the X server (root).
Discussion:
Created attachment 135172
Proposed patch from upstream
---
Ping on this. Any ETA on new packages with this fix?
---
Now public at
http://lists.freedesktop.org/archives/xorg/2006-September/018021.html
removing embargo
---
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reo
Bugzilla
CVE-2006-3739 X CID font parser multiple integer overflows (CVE-2006-3740)
bugzilla·2006-08-29·CVSS 7.2
CVE-2006-3739 [HIGH] CVE-2006-3739 X CID font parser multiple integer overflows (CVE-2006-3740)
CVE-2006-3739 X CID font parser multiple integer overflows (CVE-2006-3740)
+++ This bug was initially created as a clone of Bug #204548 +++
iDefense reported two integer overflow vulnerabilities in X's CID font parser.
This could allow an attacker with access to the xserver to execute arbitrary
code with the same privileges as the X server (root).
Discussion:
attachment 135172 is the proposed patch from upstream
---
Ping on this. Any ETA on new packages with this fix?
---
XFree86-4.3.0-113.EL will have the fix (currently building but passed scratch build)
---
This also affects RHEL2 (I didn't note this initially but should have)
---
Just built XFree86-4.1.0-77.EL for RHEL2.
---
Now public at
http://lists.freedesktop.org/archives/xorg/2006-September/018021.html
removing embarg
http://secunia.com/advisories/21864http://secunia.com/advisories/21889http://secunia.com/advisories/21890http://secunia.com/advisories/21894http://secunia.com/advisories/21900http://secunia.com/advisories/21904http://secunia.com/advisories/21908http://secunia.com/advisories/21924http://secunia.com/advisories/22080http://secunia.com/advisories/22141http://secunia.com/advisories/22332http://secunia.com/advisories/22560http://secunia.com/advisories/23033http://secunia.com/advisories/23899http://secunia.com/advisories/23907http://secunia.com/advisories/24636http://security.gentoo.org/glsa/glsa-200609-07.xmlhttp://securitytracker.com/id?1016828http://sunsolve.sun.com/search/document.do?assetkey=1-26-102780-1http://support.avaya.com/elmodocs2/security/ASA-2006-190.htmhttp://support.avaya.com/elmodocs2/security/ASA-2006-191.htmhttp://www.debian.org/security/2006/dsa-1193http://www.idefense.com/intelligence/vulnerabilities/display.php?id=411http://www.mandriva.com/security/advisories?name=MDKSA-2006:164http://www.novell.com/linux/security/advisories/2006_23_sr.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0665.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0666.htmlhttp://www.securityfocus.com/archive/1/445812/100/0/threadedhttp://www.securityfocus.com/archive/1/464268/100/0/threadedhttp://www.securityfocus.com/bid/19974http://www.ubuntu.com/usn/usn-344-1http://www.vmware.com/support/esx25/doc/esx-254-200702-patch.htmlhttp://www.vupen.com/english/advisories/2006/3581http://www.vupen.com/english/advisories/2006/3582http://www.vupen.com/english/advisories/2007/0322http://www.vupen.com/english/advisories/2007/1171https://exchange.xforce.ibmcloud.com/vulnerabilities/28890https://issues.rpath.com/browse/RPL-614https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9454http://secunia.com/advisories/21864http://secunia.com/advisories/21889http://secunia.com/advisories/21890http://secunia.com/advisories/21894http://secunia.com/advisories/21900http://secunia.com/advisories/21904http://secunia.com/advisories/21908http://secunia.com/advisories/21924http://secunia.com/advisories/22080http://secunia.com/advisories/22141http://secunia.com/advisories/22332http://secunia.com/advisories/22560http://secunia.com/advisories/23033http://secunia.com/advisories/23899http://secunia.com/advisories/23907http://secunia.com/advisories/24636http://security.gentoo.org/glsa/glsa-200609-07.xmlhttp://securitytracker.com/id?1016828http://sunsolve.sun.com/search/document.do?assetkey=1-26-102780-1http://support.avaya.com/elmodocs2/security/ASA-2006-190.htmhttp://support.avaya.com/elmodocs2/security/ASA-2006-191.htmhttp://www.debian.org/security/2006/dsa-1193http://www.idefense.com/intelligence/vulnerabilities/display.php?id=411http://www.mandriva.com/security/advisories?name=MDKSA-2006:164http://www.novell.com/linux/security/advisories/2006_23_sr.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0665.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0666.htmlhttp://www.securityfocus.com/archive/1/445812/100/0/threadedhttp://www.securityfocus.com/archive/1/464268/100/0/threadedhttp://www.securityfocus.com/bid/19974http://www.ubuntu.com/usn/usn-344-1http://www.vmware.com/support/esx25/doc/esx-254-200702-patch.htmlhttp://www.vupen.com/english/advisories/2006/3581http://www.vupen.com/english/advisories/2006/3582http://www.vupen.com/english/advisories/2007/0322http://www.vupen.com/english/advisories/2007/1171https://exchange.xforce.ibmcloud.com/vulnerabilities/28890https://issues.rpath.com/browse/RPL-614https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9454
2006-09-13
Published