CVE-2007-4990
published 2007-10-05CVE-2007-4990: The swap_char2b function in X.Org X Font Server (xfs) before 1.0.5 allows context-dependent attackers to execute arbitrary code via (1) QueryXBitmaps and (2)…
PriorityP343high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
10.74%
95.3th percentile
The swap_char2b function in X.Org X Font Server (xfs) before 1.0.5 allows context-dependent attackers to execute arbitrary code via (1) QueryXBitmaps and (2) QueryXExtents protocol requests with crafted size values that specify an arbitrary number of bytes to be swapped on the heap, which triggers heap corruption.
Affected
26 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | < 10.4.11 | 10.4.11 |
| apple | mac_os_x | >= 10.5.0 < 10.5.2 | 10.5.2 |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | xorg-server | < xorg-server 2:1.4.1~git20080105-2 (bookworm) | xorg-server 2:1.4.1~git20080105-2 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
| suse | linux | — | — |
| suse | linux_enterprise_desktop | — | — |
| suse | linux_enterprise_desktop | — | — |
| suse | linux_enterprise_server | — | — |
| suse | linux_enterprise_server | — | — |
| suse | linux_enterprise_server | — | — |
| suse | linux_enterprise_software_development_kit | — | — |
| x.org | x_font_server | <= 1.0.4 | — |
| x.org | x_server | < 1.4.1 | 1.4.1 |
| x.org | xorg-server | >= 0 < 2:1.4.1~git20080105-2 | 2:1.4.1~git20080105-2 |
| x.org | xorg-server | >= 0 < 2:1.4.1~git20080105-2 | 2:1.4.1~git20080105-2 |
| x.org | xorg-server | >= 0 < 2:1.4.1~git20080105-2 | 2:1.4.1~git20080105-2 |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c5xh-656p-g98m: The swap_char2b function in X
ghsa_unreviewed·2022-05-01
CVE-2007-4990 [HIGH] GHSA-c5xh-656p-g98m: The swap_char2b function in X
The swap_char2b function in X.Org X Font Server (xfs) before 1.0.5 allows context-dependent attackers to execute arbitrary code via (1) QueryXBitmaps and (2) QueryXExtents protocol requests with crafted size values that specify an arbitrary number of bytes to be swapped on the heap, which triggers heap corruption.
GHSA
GHSA-r7g2-76rh-rjm8: The XInput extension in X
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2007-6427 [HIGH] CWE-787 GHSA-r7g2-76rh-rjm8: The XInput extension in X
The XInput extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to execute arbitrary code via requests related to byte swapping and heap corruption within multiple functions, a different vulnerability than CVE-2007-4990.
OSV
CVE-2007-6427: The XInput extension in X
osv·2008-01-18·CVSS 7.5
CVE-2007-6427 [HIGH] CVE-2007-6427: The XInput extension in X
The XInput extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to execute arbitrary code via requests related to byte swapping and heap corruption within multiple functions, a different vulnerability than CVE-2007-4990.
Red Hat
xfree86: memory corruption via XInput extension
vendor_redhat·2008-01-17·CVSS 7.5
CVE-2007-6427 [HIGH] xfree86: memory corruption via XInput extension
xfree86: memory corruption via XInput extension
The XInput extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to execute arbitrary code via requests related to byte swapping and heap corruption within multiple functions, a different vulnerability than CVE-2007-4990.
Red Hat
xfs heap overflow in the swap_char2b function
vendor_redhat·2007-10-02·CVSS 7.5
CVE-2007-4990 [HIGH] CWE-122 xfs heap overflow in the swap_char2b function
xfs heap overflow in the swap_char2b function
The swap_char2b function in X.Org X Font Server (xfs) before 1.0.5 allows context-dependent attackers to execute arbitrary code via (1) QueryXBitmaps and (2) QueryXExtents protocol requests with crafted size values that specify an arbitrary number of bytes to be swapped on the heap, which triggers heap corruption.
Statement: Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Package: xorg-x11-xfs (Red Hat Enterprise Linux 5) - Will not fix
Debian
CVE-2007-6427: xorg-server - The XInput extension in X.Org Xserver before 1.4.1 allows context-dependent atta...
vendor_debian·2007·CVSS 7.5
CVE-2007-6427 [HIGH] CVE-2007-6427: xorg-server - The XInput extension in X.Org Xserver before 1.4.1 allows context-dependent atta...
The XInput extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to execute arbitrary code via requests related to byte swapping and heap corruption within multiple functions, a different vulnerability than CVE-2007-4990.
Scope: local
bookworm: resolved (fixed in 2:1.4.1~git20080105-2)
bullseye: resolved (fixed in 2:1.4.1~git20080105-2)
forky: resolved (fixed in 2:1.4.1~git20080105-2)
sid: resolved (fixed in 2:1.4.1~git20080105-2)
trixie: resolved (fixed in 2:1.4.1~git20080105-2)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2007-4990 xfs heap overflow in the swap_char2b function
bugzilla·2007-10-08·CVSS 7.5
CVE-2007-4990 [HIGH] CVE-2007-4990 xfs heap overflow in the swap_char2b function
CVE-2007-4990 xfs heap overflow in the swap_char2b function
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-4990 to the following vulnerability:
The swap_char2b function in X.Org X Font Server (xfs) before 1.0.5 allows
context-dependent attackers to execute arbitrary code via (1) QueryXBitmaps and
(2) QueryXExtents protocol requests with crafted size values that specify an
arbitrary number of bytes to be swapped on the heap, which triggers heap
corruption.
References:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=602
http://lists.freedesktop.org/archives/xorg-announce/2007-October/000416.html
Discussion:
Upstream patch:
http://xorg.freedesktop.org/archive/X11R7.3/patches/xorg-xfs-1.0.4-query.diff
---
For justification of security impact,
Bugzilla
CVE-2007-4568 xfs integer overflow in the build_range function
bugzilla·2007-09-07·CVSS 6.8
CVE-2007-4568 [MEDIUM] CVE-2007-4568 xfs integer overflow in the build_range function
CVE-2007-4568 xfs integer overflow in the build_range function
From Matthieu Herrb:
iDefense has brought to X.Org's security team 2 vulnerabilities in
X.Org's font server, xfs.
The 1st one is an integer overflow in the build_range() function,
exploitable by the QueryXBitmaps and QueryXExtents requests.
The 2nd one is a potential heap overflow in the swap_char2b() function,
exploitable by the same 2 requests, to arbitrarily swap bytes 2 by two on
the heap.
X.Org 7.3 (released today) as well all previous versions are vulnerable.
Other implementations of the X font server based on the original X/MIT
implementation are likely to be vulnerable too.
The impact of these vulnerabilities is pretty low according to both
iDefense's analysis and mine: most modern systems ship xfs either
disabled
http://bugs.freedesktop.org/show_bug.cgi?id=12299http://bugs.gentoo.org/show_bug.cgi?id=194606http://docs.info.apple.com/article.html?artnum=307562http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01323725http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=602http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.htmlhttp://lists.freedesktop.org/archives/xorg-announce/2007-October/000416.htmlhttp://secunia.com/advisories/27040http://secunia.com/advisories/27052http://secunia.com/advisories/27060http://secunia.com/advisories/27176http://secunia.com/advisories/27228http://secunia.com/advisories/27240http://secunia.com/advisories/27560http://secunia.com/advisories/28004http://secunia.com/advisories/28514http://secunia.com/advisories/28536http://secunia.com/advisories/28542http://secunia.com/advisories/29420http://security.gentoo.org/glsa/glsa-200710-11.xmlhttp://sunsolve.sun.com/search/document.do?assetkey=1-26-103114-1http://sunsolve.sun.com/search/document.do?assetkey=1-66-200642-1http://www.mandriva.com/security/advisories?name=MDKSA-2007:210http://www.novell.com/linux/security/advisories/2007_54_xorg.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0029.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0030.htmlhttp://www.securityfocus.com/archive/1/481432/100/0/threadedhttp://www.securityfocus.com/bid/25898http://www.securitytracker.com/id?1018763http://www.vupen.com/english/advisories/2007/3337http://www.vupen.com/english/advisories/2007/3338http://www.vupen.com/english/advisories/2007/3467http://www.vupen.com/english/advisories/2008/0149http://www.vupen.com/english/advisories/2008/0924/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/36920https://issues.rpath.com/browse/RPL-1756https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11599https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00352.htmlhttp://bugs.freedesktop.org/show_bug.cgi?id=12299http://bugs.gentoo.org/show_bug.cgi?id=194606http://docs.info.apple.com/article.html?artnum=307562http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01323725http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=602http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.htmlhttp://lists.freedesktop.org/archives/xorg-announce/2007-October/000416.htmlhttp://secunia.com/advisories/27040http://secunia.com/advisories/27052http://secunia.com/advisories/27060http://secunia.com/advisories/27176http://secunia.com/advisories/27228http://secunia.com/advisories/27240http://secunia.com/advisories/27560http://secunia.com/advisories/28004http://secunia.com/advisories/28514http://secunia.com/advisories/28536http://secunia.com/advisories/28542http://secunia.com/advisories/29420http://security.gentoo.org/glsa/glsa-200710-11.xmlhttp://sunsolve.sun.com/search/document.do?assetkey=1-26-103114-1http://sunsolve.sun.com/search/document.do?assetkey=1-66-200642-1http://www.mandriva.com/security/advisories?name=MDKSA-2007:210http://www.novell.com/linux/security/advisories/2007_54_xorg.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0029.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0030.htmlhttp://www.securityfocus.com/archive/1/481432/100/0/threadedhttp://www.securityfocus.com/bid/25898http://www.securitytracker.com/id?1018763http://www.vupen.com/english/advisories/2007/3337http://www.vupen.com/english/advisories/2007/3338http://www.vupen.com/english/advisories/2007/3467http://www.vupen.com/english/advisories/2008/0149http://www.vupen.com/english/advisories/2008/0924/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/36920https://issues.rpath.com/browse/RPL-1756https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11599https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00352.html
2007-10-05
Published