CVE-2007-4990

critical

Description

The swap_char2b function in X.Org X Font Server (xfs) before 1.0.5 allows context-dependent attackers to execute arbitrary code via (1) QueryXBitmaps and (2) QueryXExtents protocol requests with crafted size values that specify an arbitrary number of bytes to be swapped on the heap, which triggers heap corruption.

References

https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00352.html

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11599

https://issues.rpath.com/browse/RPL-1756

https://exchange.xforce.ibmcloud.com/vulnerabilities/36920

http://www.vupen.com/english/advisories/2008/0924/references

http://www.vupen.com/english/advisories/2008/0149

http://www.vupen.com/english/advisories/2007/3467

http://www.vupen.com/english/advisories/2007/3338

http://www.vupen.com/english/advisories/2007/3337

http://www.securitytracker.com/id?1018763

http://www.securityfocus.com/bid/25898

http://www.securityfocus.com/archive/1/481432/100/0/threaded

http://www.redhat.com/support/errata/RHSA-2008-0030.html

http://www.redhat.com/support/errata/RHSA-2008-0029.html

http://www.novell.com/linux/security/advisories/2007_54_xorg.html

http://www.mandriva.com/security/advisories?name=MDKSA-2007:210

http://sunsolve.sun.com/search/document.do?assetkey=1-66-200642-1

http://sunsolve.sun.com/search/document.do?assetkey=1-26-103114-1

http://security.gentoo.org/glsa/glsa-200710-11.xml

http://secunia.com/advisories/29420

http://secunia.com/advisories/28542

http://secunia.com/advisories/28536

http://secunia.com/advisories/28514

http://secunia.com/advisories/28004

http://secunia.com/advisories/27560

http://secunia.com/advisories/27240

http://secunia.com/advisories/27228

http://secunia.com/advisories/27176

http://secunia.com/advisories/27060

http://secunia.com/advisories/27052

http://secunia.com/advisories/27040

http://lists.freedesktop.org/archives/xorg-announce/2007-October/000416.html

http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=602

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01323725

http://docs.info.apple.com/article.html?artnum=307562

http://bugs.gentoo.org/show_bug.cgi?id=194606

http://bugs.freedesktop.org/show_bug.cgi?id=12299

Details

Source: Mitre, NVD

Published: 2007-10-05

Updated: 2018-10-15

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical