ID CVE-2006-3740
Summary Integer overflow in the scan_cidfont function in X.Org 6.8.2 and XFree86 X server allows local users to execute arbitrary code via crafted (1) CMap and (2) CIDFont font data with modified item counts in the (a) begincodespacerange, (b) cidrange, and (c) notdefrange sections.
References
Vulnerable Configurations
  • cpe:2.3:a:x.org:x.org:6.8.2
    cpe:2.3:a:x.org:x.org:6.8.2
  • cpe:2.3:a:xfree86_project:xfree86_x
    cpe:2.3:a:xfree86_project:xfree86_x
CVSS
Base: 7.2 (as of 14-09-2006 - 14:25)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2006-0665.NASL
    description Updated X.org packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. X.org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. iDefense reported two integer overflow flaws in the way the X.org server processed CID font files. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the X.org server. (CVE-2006-3739, CVE-2006-3740) Users of X.org should upgrade to these updated packages, which contain a backported patch and is not vulnerable to this issue.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 22339
    published 2006-09-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22339
    title CentOS 4 : xorg-x11 (CESA-2006:0665)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0666.NASL
    description Updated XFree86 packages that fix a security issue are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having important security impact by the Red Hat Security Response Team. XFree86 is an implementation of the X Window System, which provides the core functionality for the Linux graphical desktop. iDefense reported two integer overflow flaws in the way the XFree86 server processed CID font files. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the XFree86 server. (CVE-2006-3739, CVE-2006-3740) Users of XFree86 should upgrade to these updated packages, which contain a backported patch and is not vulnerable to this issue.
    last seen 2019-01-16
    modified 2018-11-16
    plugin id 22347
    published 2006-09-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22347
    title RHEL 2.1 / 3 : XFree86 (RHSA-2006:0666)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-344-1.NASL
    description iDefense security researchers found several integer overflows in X.org's font handling library. By using a specially crafted Type1 CID font file, a local user could exploit these to crash the X server or execute arbitrary code with root privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-12-01
    plugin id 27923
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27923
    title Ubuntu 5.04 / 5.10 / 6.06 LTS : libxfont, xorg vulnerabilities (USN-344-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_XORG-X11-SERVER-2062.NASL
    description This update fixes an integer overflow vulnerability when rendering CID-keyed fonts. (CVE-2006-3739 / CVE-2006-3740)
    last seen 2019-01-16
    modified 2012-05-17
    plugin id 29605
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29605
    title SuSE 10 Security Update : xorg-x11-server (ZYPP Patch Number 2062)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200609-07.NASL
    description The remote host is affected by the vulnerability described in GLSA-200609-07 (LibXfont, monolithic X.org: Multiple integer overflows) Several integer overflows have been found in the CID font parser. Impact : A remote attacker could exploit this vulnerability by enticing a user to load a malicious font file resulting in the execution of arbitrary code with the permissions of the user running the X server which typically is the root user. A local user could exploit this vulnerability to gain elevated privileges. Workaround : Disable CID-encoded Type 1 fonts by removing the 'type1' module and replacing it with the 'freetype' module in xorg.conf.
    last seen 2019-01-16
    modified 2018-07-11
    plugin id 22352
    published 2006-09-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22352
    title GLSA-200609-07 : LibXfont, monolithic X.org: Multiple integer overflows
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2006-0666.NASL
    description Updated XFree86 packages that fix a security issue are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having important security impact by the Red Hat Security Response Team. XFree86 is an implementation of the X Window System, which provides the core functionality for the Linux graphical desktop. iDefense reported two integer overflow flaws in the way the XFree86 server processed CID font files. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the XFree86 server. (CVE-2006-3739, CVE-2006-3740) Users of XFree86 should upgrade to these updated packages, which contain a backported patch and is not vulnerable to this issue.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 22340
    published 2006-09-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22340
    title CentOS 3 : XFree86 (CESA-2006:0666)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2006-0665.NASL
    description From Red Hat Security Advisory 2006:0665 : Updated X.org packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. X.org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. iDefense reported two integer overflow flaws in the way the X.org server processed CID font files. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the X.org server. (CVE-2006-3739, CVE-2006-3740) Users of X.org should upgrade to these updated packages, which contain a backported patch and is not vulnerable to this issue.
    last seen 2019-01-16
    modified 2018-08-13
    plugin id 67407
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67407
    title Oracle Linux 4 : xorg-x11 (ELSA-2006-0665)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-164.NASL
    description Local exploitation of an integer overflow vulnerability in the 'CIDAFM()' function in the X.Org and XFree86 X server could allow an attacker to execute arbitrary code with privileges of the X server, typically root (CVE-2006-3739). Local exploitation of an integer overflow vulnerability in the 'scan_cidfont()' function in the X.Org and XFree86 X server could allow an attacker to execute arbitrary code with privileges of the X server, typically root (CVE-2006-3740). Updated packages are patched to address this issue. Update : Updated packages for 2007.0 have been patched (libxfont)
    last seen 2019-01-16
    modified 2018-07-19
    plugin id 23908
    published 2006-12-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23908
    title Mandrake Linux Security Advisory : xorg-x11 (MDKSA-2006:164-1)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2006-259-01.NASL
    description New x11 (X.Org) packages are available for Slackware 10.2, and -current to fix security issues due to overflows in font parsing.
    last seen 2018-09-02
    modified 2015-03-19
    plugin id 22420
    published 2006-09-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22420
    title Slackware 10.2 / current : x11 (SSA:2006-259-01)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1193.NASL
    description Several vulnerabilities have been discovered in the X Window System, which may lead to the execution of arbitrary code or denial of service. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-3467 Chris Evan discovered an integer overflow in the code to handle PCF fonts, which might lead to denial of service if a malformed font is opened. - CVE-2006-3739 It was discovered that an integer overflow in the code to handle Adobe Font Metrics might lead to the execution of arbitrary code. - CVE-2006-3740 It was discovered that an integer overflow in the code to handle CMap and CIDFont font data might lead to the execution of arbitrary code. - CVE-2006-4447 The XFree86 initialization code performs insufficient checking of the return value of setuid() when dropping privileges, which might lead to local privilege escalation.
    last seen 2019-01-16
    modified 2018-07-20
    plugin id 22734
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22734
    title Debian DSA-1193-1 : xfree86 - several vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0665.NASL
    description Updated X.org packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. X.org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. iDefense reported two integer overflow flaws in the way the X.org server processed CID font files. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the X.org server. (CVE-2006-3739, CVE-2006-3740) Users of X.org should upgrade to these updated packages, which contain a backported patch and is not vulnerable to this issue.
    last seen 2019-01-16
    modified 2018-11-16
    plugin id 22346
    published 2006-09-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22346
    title RHEL 4 : xorg-x11 (RHSA-2006:0665)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_XORG-X11-SERVER-2056.NASL
    description This update fixes an integer overflow vulnerability when rendering CID-keyed fonts (CVE-2006-3739/CVE-2006-3740).
    last seen 2019-01-16
    modified 2018-07-19
    plugin id 27494
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27494
    title openSUSE 10 Security Update : xorg-x11-server (xorg-x11-server-2056)
oval via4
accepted 2013-04-29T04:19:31.133-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description Integer overflow in the scan_cidfont function in X.Org 6.8.2 and XFree86 X server allows local users to execute arbitrary code via crafted (1) CMap and (2) CIDFont font data with modified item counts in the (a) begincodespacerange, (b) cidrange, and (c) notdefrange sections.
family unix
id oval:org.mitre.oval:def:9454
status accepted
submitted 2010-07-09T03:56:16-04:00
title Integer overflow in the scan_cidfont function in X.Org 6.8.2 and XFree86 X server allows local users to execute arbitrary code via crafted (1) CMap and (2) CIDFont font data with modified item counts in the (a) begincodespacerange, (b) cidrange, and (c) notdefrange sections.
version 23
redhat via4
advisories
  • bugzilla
    id 204548
    title CVE-2006-3739 X CID font parser multiple integer overflows (CVE-2006-3740)
    oval
    AND
    comment Red Hat Enterprise Linux 4 is installed
    oval oval:com.redhat.rhsa:tst:20060016001
    rhsa
    id RHSA-2006:0665
    released 2006-09-12
    severity Important
    title RHSA-2006:0665: xorg-x11 security update (Important)
  • bugzilla
    id 204549
    title CVE-2006-3739 X CID font parser multiple integer overflows (CVE-2006-3740)
    oval
    AND
    comment Red Hat Enterprise Linux 3 is installed
    oval oval:com.redhat.rhsa:tst:20060015001
    rhsa
    id RHSA-2006:0666
    released 2006-09-12
    severity Important
    title RHSA-2006:0666: XFree86 security update (Important)
refmap via4
bid 19974
bugtraq
  • 20060912 rPSA-2006-0167-1 xorg-x11 xorg-x11-fonts xorg-x11-tools xorg-x11-xfs
  • 20070330 VMSA-2007-0002 VMware ESX security updates
confirm
debian DSA-1193
gentoo GLSA-200609-07
idefense 20060912 Multiple Vendor X Server CID-keyed Fonts 'scan_cidfont()' Integer Overflow Vulnerability
mandriva MDKSA-2006:164
sectrack 1016828
secunia
  • 21864
  • 21889
  • 21890
  • 21894
  • 21900
  • 21904
  • 21908
  • 21924
  • 22080
  • 22141
  • 22332
  • 22560
  • 23033
  • 23899
  • 23907
  • 24636
sunalert 102780
suse SUSE-SR:2006:023
ubuntu USN-344-1
vupen
  • ADV-2006-3581
  • ADV-2006-3582
  • ADV-2007-0322
  • ADV-2007-1171
xf xorg-server-scancidfont-overflow(28890)
Last major update 07-03-2011 - 21:39
Published 12-09-2006 - 21:07
Last modified 17-10-2018 - 17:29
Back to Top