ID CVE-2007-1351
Summary Integer overflow in the bdfReadCharacters function in bdfread.c in (1) X.Org libXfont before 20070403 and (2) freetype 2.3.2 and earlier allows remote authenticated users to execute arbitrary code via crafted BDF fonts, which result in a heap overflow.
References
Vulnerable Configurations
  • cpe:2.3:o:ubuntu:ubuntu_linux:5.10:-:amd64
    cpe:2.3:o:ubuntu:ubuntu_linux:5.10:-:amd64
  • cpe:2.3:o:ubuntu:ubuntu_linux:5.10:-:i386
    cpe:2.3:o:ubuntu:ubuntu_linux:5.10:-:i386
  • cpe:2.3:o:ubuntu:ubuntu_linux:5.10:-:powerpc
    cpe:2.3:o:ubuntu:ubuntu_linux:5.10:-:powerpc
  • cpe:2.3:o:ubuntu:ubuntu_linux:5.10:-:sparc
    cpe:2.3:o:ubuntu:ubuntu_linux:5.10:-:sparc
  • cpe:2.3:o:ubuntu:ubuntu_linux:6.06_lts:-:amd64
    cpe:2.3:o:ubuntu:ubuntu_linux:6.06_lts:-:amd64
  • cpe:2.3:o:ubuntu:ubuntu_linux:6.06_lts:-:i386
    cpe:2.3:o:ubuntu:ubuntu_linux:6.06_lts:-:i386
  • cpe:2.3:o:ubuntu:ubuntu_linux:6.06_lts:-:powerpc
    cpe:2.3:o:ubuntu:ubuntu_linux:6.06_lts:-:powerpc
  • cpe:2.3:o:ubuntu:ubuntu_linux:6.06_lts:-:sparc
    cpe:2.3:o:ubuntu:ubuntu_linux:6.06_lts:-:sparc
  • cpe:2.3:o:ubuntu:ubuntu_linux:6.10:-:amd64
    cpe:2.3:o:ubuntu:ubuntu_linux:6.10:-:amd64
  • cpe:2.3:o:ubuntu:ubuntu_linux:6.10:-:i386
    cpe:2.3:o:ubuntu:ubuntu_linux:6.10:-:i386
  • cpe:2.3:o:ubuntu:ubuntu_linux:6.10:-:powerpc
    cpe:2.3:o:ubuntu:ubuntu_linux:6.10:-:powerpc
  • cpe:2.3:o:ubuntu:ubuntu_linux:6.10:-:sparc
    cpe:2.3:o:ubuntu:ubuntu_linux:6.10:-:sparc
  • cpe:2.3:a:x.org:libxfont:1.2.2
    cpe:2.3:a:x.org:libxfont:1.2.2
  • cpe:2.3:a:xfree86_project:x11r6:4.3.0
    cpe:2.3:a:xfree86_project:x11r6:4.3.0
  • cpe:2.3:a:xfree86_project:x11r6:4.3.0.1
    cpe:2.3:a:xfree86_project:x11r6:4.3.0.1
  • cpe:2.3:a:xfree86_project:x11r6:4.3.0.2
    cpe:2.3:a:xfree86_project:x11r6:4.3.0.2
  • cpe:2.3:o:rpath:rpath_linux:1
    cpe:2.3:o:rpath:rpath_linux:1
  • cpe:2.3:o:redhat:enterprise_linux:2.1:-:advanced_server
    cpe:2.3:o:redhat:enterprise_linux:2.1:-:advanced_server
  • cpe:2.3:o:redhat:enterprise_linux:2.1:-:advanced_server_ia64
    cpe:2.3:o:redhat:enterprise_linux:2.1:-:advanced_server_ia64
  • cpe:2.3:o:redhat:enterprise_linux:2.1:-:enterprise_server
    cpe:2.3:o:redhat:enterprise_linux:2.1:-:enterprise_server
  • cpe:2.3:o:redhat:enterprise_linux:2.1:-:enterprise_server_ia64
    cpe:2.3:o:redhat:enterprise_linux:2.1:-:enterprise_server_ia64
  • cpe:2.3:o:redhat:enterprise_linux:2.1:-:workstation
    cpe:2.3:o:redhat:enterprise_linux:2.1:-:workstation
  • cpe:2.3:o:redhat:enterprise_linux:2.1:-:workstation_ia64
    cpe:2.3:o:redhat:enterprise_linux:2.1:-:workstation_ia64
  • cpe:2.3:o:redhat:enterprise_linux:3.0:-:advanced_servers
    cpe:2.3:o:redhat:enterprise_linux:3.0:-:advanced_servers
  • cpe:2.3:o:redhat:enterprise_linux:3.0:-:enterprise_server
    cpe:2.3:o:redhat:enterprise_linux:3.0:-:enterprise_server
  • cpe:2.3:o:redhat:enterprise_linux:3.0:-:workstation
    cpe:2.3:o:redhat:enterprise_linux:3.0:-:workstation
  • cpe:2.3:o:redhat:enterprise_linux:4.0:-:advanced_server
    cpe:2.3:o:redhat:enterprise_linux:4.0:-:advanced_server
  • cpe:2.3:o:redhat:enterprise_linux:4.0:-:enterprise_server
    cpe:2.3:o:redhat:enterprise_linux:4.0:-:enterprise_server
  • cpe:2.3:o:redhat:enterprise_linux:4.0:-:workstation
    cpe:2.3:o:redhat:enterprise_linux:4.0:-:workstation
  • cpe:2.3:o:redhat:enterprise_linux:5.0:-:desktop
    cpe:2.3:o:redhat:enterprise_linux:5.0:-:desktop
  • cpe:2.3:o:redhat:enterprise_linux:5.0:-:desktop_workstation
    cpe:2.3:o:redhat:enterprise_linux:5.0:-:desktop_workstation
  • cpe:2.3:o:redhat:enterprise_linux:5.0:-:server
    cpe:2.3:o:redhat:enterprise_linux:5.0:-:server
  • Red Hat Desktop 3.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:3.0
  • Red Hat Desktop 4.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:4.0
  • cpe:2.3:o:redhat:linux_advanced_workstation:2.1:-:ia64
    cpe:2.3:o:redhat:linux_advanced_workstation:2.1:-:ia64
  • cpe:2.3:o:redhat:linux_advanced_workstation:2.1:-:itanium
    cpe:2.3:o:redhat:linux_advanced_workstation:2.1:-:itanium
  • OpenBSD 3.9
    cpe:2.3:o:openbsd:openbsd:3.9
  • OpenBSD 4.0
    cpe:2.3:o:openbsd:openbsd:4.0
  • MandrakeSoft Mandrake Linux 2007.0
    cpe:2.3:o:mandrakesoft:mandrake_linux:2007
  • cpe:2.3:o:mandrakesoft:mandrake_linux:2007:-:x86_64
    cpe:2.3:o:mandrakesoft:mandrake_linux:2007:-:x86_64
  • MandrakeSoft Mandrake Corporate Server 3.0
    cpe:2.3:o:mandrakesoft:mandrake_linux_corporate_server:3.0
  • cpe:2.3:o:mandrakesoft:mandrake_linux_corporate_server:3.0:-:x86_64
    cpe:2.3:o:mandrakesoft:mandrake_linux_corporate_server:3.0:-:x86_64
  • MandrakeSoft Mandrake Corporate Server 4.0
    cpe:2.3:o:mandrakesoft:mandrake_linux_corporate_server:4.0
  • cpe:2.3:o:mandrakesoft:mandrake_linux_corporate_server:4.0:-:x86_64
    cpe:2.3:o:mandrakesoft:mandrake_linux_corporate_server:4.0:-:x86_64
  • MandrakeSoft Mandrake Multi Network Firewall 2.0
    cpe:2.3:a:mandrakesoft:mandrake_multi_network_firewall:2.0
CVSS
Base: 8.5 (as of 09-04-2007 - 13:18)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2009-001.NASL
    description The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have Security Update 2009-001 applied. This security update contains fixes for the following products : - AFP Server - Apple Pixlet Video - CarbonCore - CFNetwork - Certificate Assistant - ClamAV - CoreText - CUPS - DS Tools - fetchmail - Folder Manager - FSEvents - Network Time - perl - Printing - python - Remote Apple Events - Safari RSS - servermgrd - SMB - SquirrelMail - X11 - XTerm
    last seen 2019-02-21
    modified 2018-07-16
    plugin id 35684
    published 2009-02-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35684
    title Mac OS X Multiple Vulnerabilities (Security Update 2009-001)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-0150.NASL
    description Updated freetype packages that fix a security flaw are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. FreeType is a free, high-quality, portable font engine. An integer overflow flaw was found in the way the FreeType font engine processed BDF font files. If a user loaded a carefully crafted font file with a program linked against FreeType, it could cause the application to crash or execute arbitrary code. While it is uncommon for a user to explicitly load a font file, there are several application file formats which contain embedded fonts that are parsed by FreeType. (CVE-2007-1351) This flaw did not affect the version of FreeType shipped in Red Hat Enterprise Linux 2.1. Users of FreeType should upgrade to these updated packages, which contain a backported patch to correct this issue. Red Hat would like to thank iDefense for reporting this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25042
    published 2007-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25042
    title CentOS 3 / 4 / 5 : freetype (CESA-2007:0150)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-0150.NASL
    description From Red Hat Security Advisory 2007:0150 : Updated freetype packages that fix a security flaw are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. FreeType is a free, high-quality, portable font engine. An integer overflow flaw was found in the way the FreeType font engine processed BDF font files. If a user loaded a carefully crafted font file with a program linked against FreeType, it could cause the application to crash or execute arbitrary code. While it is uncommon for a user to explicitly load a font file, there are several application file formats which contain embedded fonts that are parsed by FreeType. (CVE-2007-1351) This flaw did not affect the version of FreeType shipped in Red Hat Enterprise Linux 2.1. Users of FreeType should upgrade to these updated packages, which contain a backported patch to correct this issue. Red Hat would like to thank iDefense for reporting this issue.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67469
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67469
    title Oracle Linux 3 / 4 : freetype (ELSA-2007-0150)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200705-02.NASL
    description The remote host is affected by the vulnerability described in GLSA-200705-02 (FreeType: User-assisted execution of arbitrary code) Greg MacManus of iDefense Labs has discovered an integer overflow in the function bdfReadCharacters() when parsing BDF fonts. Impact : A remote attacker could entice a user to use a specially crafted BDF font, possibly resulting in a heap-based buffer overflow and the remote execution of arbitrary code. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 25132
    published 2007-05-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25132
    title GLSA-200705-02 : FreeType: User-assisted execution of arbitrary code
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2007-109-01.NASL
    description New x11 and/or freetype and fontconfig packages are available for Slackware 10.1, 10.2, 11.0, and -current to fix security issues in freetype. Freetype was packaged with X11 prior to Slackware version 11.0.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 25092
    published 2007-04-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25092
    title Slackware 10.1 / 10.2 / 11.0 / current : freetype (SSA:2007-109-01)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_FREETYPE2-3066.NASL
    description This update of freetype2 fixes an integer overflow in the BDF font parsing code. This bug can be exploited only with user assistance to potentially execute arbitrary code. (CVE-2007-1351)
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27226
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27226
    title openSUSE 10 Security Update : freetype2 (freetype2-3066)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200705-10.NASL
    description The remote host is affected by the vulnerability described in GLSA-200705-10 (LibXfont, TightVNC: Multiple vulnerabilities) The libXfont code is prone to several integer overflows, in functions ProcXCMiscGetXIDList(), bdfReadCharacters() and FontFileInitTable(). TightVNC contains a local copy of this code and is also affected. Impact : A local attacker could use a specially crafted BDF Font to gain root privileges on the vulnerable host. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 25187
    published 2007-05-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25187
    title GLSA-200705-10 : LibXfont, TightVNC: Multiple vulnerabilities
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-0126.NASL
    description From Red Hat Security Advisory 2007:0126 : Updated X.org packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. X.org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. iDefense reported an integer overflow flaw in the X.org XC-MISC extension. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with the privileges of the X.org server. (CVE-2007-1003) iDefense reported two integer overflows in the way X.org handled various font files. A malicious local user could exploit these issues to potentially execute arbitrary code with the privileges of the X.org server. (CVE-2007-1351, CVE-2007-1352) An integer overflow flaw was found in the X.org XGetPixel() function. Improper use of this function could cause an application calling it to function improperly, possibly leading to a crash or arbitrary code execution. (CVE-2007-1667) Users of X.org should upgrade to these updated packages, which contain a backported patch and are not vulnerable to these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67465
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67465
    title Oracle Linux 4 : xorg-x11 (ELSA-2007-0126)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0126.NASL
    description Updated X.org packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. X.org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. iDefense reported an integer overflow flaw in the X.org XC-MISC extension. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with the privileges of the X.org server. (CVE-2007-1003) iDefense reported two integer overflows in the way X.org handled various font files. A malicious local user could exploit these issues to potentially execute arbitrary code with the privileges of the X.org server. (CVE-2007-1351, CVE-2007-1352) An integer overflow flaw was found in the X.org XGetPixel() function. Improper use of this function could cause an application calling it to function improperly, possibly leading to a crash or arbitrary code execution. (CVE-2007-1667) Users of X.org should upgrade to these updated packages, which contain a backported patch and are not vulnerable to these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 24950
    published 2007-04-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24950
    title RHEL 4 : xorg-x11 (RHSA-2007:0126)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_XORG-X11-SERVER-3083.NASL
    description Integer overflows in the XC-MISC extension of the X-server could potentially be exploited to execute code with root privileges. (CVE-2007-1003) Integer overflows in libx11 could cause crashes. (CVE-2007-1667) Integer overflows in the font handling of the X-server could potentially be exploited to execute code with root privileges. (CVE-2007-1352 / CVE-2007-1351)
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 29607
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29607
    title SuSE 10 Security Update : Xorg X11 (ZYPP Patch Number 3083)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-448-1.NASL
    description Sean Larsson of iDefense Labs discovered that the MISC-XC extension of Xorg did not correctly verify the size of allocated memory. An authenticated user could send a specially crafted X11 request and execute arbitrary code with root privileges. (CVE-2007-1003) Greg MacManus of iDefense Labs discovered that the BDF font handling code in Xorg and FreeType did not correctly verify the size of allocated memory. If a user were tricked into using a specially crafted font, a remote attacker could execute arbitrary code with root privileges. (CVE-2007-1351, CVE-2007-1352). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28045
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28045
    title Ubuntu 5.10 / 6.06 LTS / 6.10 : freetype, libxfont, xorg, xorg-server vulnerabilities (USN-448-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1454.NASL
    description Greg MacManus discovered an integer overflow in the font handling of libfreetype, a FreeType 2 font engine, which might lead to denial of service or possibly the execution of arbitrary code if a user is tricked into opening a malformed font.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 29873
    published 2008-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29873
    title Debian DSA-1454-1 : freetype - integer overflow
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1294.NASL
    description Several vulnerabilities have been discovered in the X Window System, which may lead to privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-1003 Sean Larsson discovered an integer overflow in the XC-MISC extension, which might lead to denial of service or local privilege escalation. - CVE-2007-1351 Greg MacManus discovered an integer overflow in the font handling, which might lead to denial of service or local privilege escalation. - CVE-2007-1352 Greg MacManus discovered an integer overflow in the font handling, which might lead to denial of service or local privilege escalation. - CVE-2007-1667 Sami Leides discovered an integer overflow in the libx11 library which might lead to the execution of arbitrary code. This update introduces tighter sanity checking of input passed to XCreateImage(). To cope with this an updated rdesktop package is delivered along with this security update. Another application reported to break is the proprietary Opera browser, which isn't part of Debian. The vendor has released updated packages, though.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 25259
    published 2007-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25259
    title Debian DSA-1294-1 : xfree86 - several vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0132.NASL
    description Updated X.org libXfont packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. X.org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. iDefense reported two integer overflows in the way X.org handled various font files. A malicious local user could exploit these issues to potentially execute arbitrary code with the privileges of the X.org server. (CVE-2007-1351, CVE-2007-1352) Users of X.org libXfont should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 25324
    published 2007-05-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25324
    title RHEL 5 : libXfont (RHSA-2007:0132)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0150.NASL
    description Updated freetype packages that fix a security flaw are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. FreeType is a free, high-quality, portable font engine. An integer overflow flaw was found in the way the FreeType font engine processed BDF font files. If a user loaded a carefully crafted font file with a program linked against FreeType, it could cause the application to crash or execute arbitrary code. While it is uncommon for a user to explicitly load a font file, there are several application file formats which contain embedded fonts that are parsed by FreeType. (CVE-2007-1351) This flaw did not affect the version of FreeType shipped in Red Hat Enterprise Linux 2.1. Users of FreeType should upgrade to these updated packages, which contain a backported patch to correct this issue. Red Hat would like to thank iDefense for reporting this issue.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 25066
    published 2007-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25066
    title RHEL 3 / 4 / 5 : freetype (RHSA-2007:0150)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-080.NASL
    description Local exploitation of a memory corruption vulnerability in the X.Org and XFree86 X server could allow an attacker to execute arbitrary code with privileges of the X server, typically root. The vulnerability exists in the ProcXCMiscGetXIDList() function in the XC-MISC extension. This request is used to determine what resource IDs are available for use. This function contains two vulnerabilities, both result in memory corruption of either the stack or heap. The ALLOCATE_LOCAL() macro used by this function allocates memory on the stack using alloca() on systems where alloca() is present, or using the heap otherwise. The handler function takes a user provided value, multiplies it, and then passes it to the above macro. This results in both an integer overflow vulnerability, and an alloca() stack pointer shifting vulnerability. Both can be exploited to execute arbitrary code. (CVE-2007-1003) iDefense reported two integer overflows in the way X.org handled various font files. A malicious local user could exploit these issues to potentially execute arbitrary code with the privileges of the X.org server. (CVE-2007-1351, CVE-2007-1352) TightVNC uses some of the same code base as Xorg, and has the same vulnerable code. Updated packages are patched to address these issues. Update : Packages for Mandriva Linux 2007.1 are now available.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 24946
    published 2007-04-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24946
    title Mandrake Linux Security Advisory : tightvnc (MDKSA-2007:080-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-0125.NASL
    description From Red Hat Security Advisory 2007:0125 : Updated XFree86 packages that fix a number of security issues are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having important security impact by the Red Hat Security Response Team. XFree86 is an implementation of the X Window System, which provides the core functionality for the Linux graphical desktop. iDefense reported an integer overflow flaw in the XFree86 XC-MISC extension. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the XFree86 server. (CVE-2007-1003) iDefense reported two integer overflows in the way X.org handled various font files. A malicious local user could exploit these issues to potentially execute arbitrary code with the privileges of the X.org server. (CVE-2007-1351, CVE-2007-1352) An integer overflow flaw was found in the XFree86 XGetPixel() function. Improper use of this function could cause an application calling it to function improperly, possibly leading to a crash or arbitrary code execution. (CVE-2007-1667) Users of XFree86 should upgrade to these updated packages, which contain a backported patch and is not vulnerable to this issue.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67464
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67464
    title Oracle Linux 3 : XFree86 (ELSA-2007-0125)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-079.NASL
    description Local exploitation of a memory corruption vulnerability in the X.Org and XFree86 X server could allow an attacker to execute arbitrary code with privileges of the X server, typically root. The vulnerability exists in the ProcXCMiscGetXIDList() function in the XC-MISC extension. This request is used to determine what resource IDs are available for use. This function contains two vulnerabilities, both result in memory corruption of either the stack or heap. The ALLOCATE_LOCAL() macro used by this function allocates memory on the stack using alloca() on systems where alloca() is present, or using the heap otherwise. The handler function takes a user provided value, multiplies it, and then passes it to the above macro. This results in both an integer overflow vulnerability, and an alloca() stack pointer shifting vulnerability. Both can be exploited to execute arbitrary code. (CVE-2007-1003) iDefense reported two integer overflows in the way X.org handled various font files. A malicious local user could exploit these issues to potentially execute arbitrary code with the privileges of the X.org server. (CVE-2007-1351, CVE-2007-1352) Multiple integer overflows in (1) the XGetPixel function in ImUtil.c in x.org libx11 before 1.0.3, and (2) XInitImage function in xwd.c for ImageMagick, allow user-assisted remote attackers to cause a denial of service (crash) or information leak via crafted images with large or negative values that trigger a buffer overflow. (CVE-2007-1667) Updated packages are patched to address these issues. Update : Packages for Mandriva Linux 2007.1 are now available.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 24945
    published 2007-04-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24945
    title Mandrake Linux Security Advisory : xorg-x11 (MDKSA-2007:079-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-0132.NASL
    description From Red Hat Security Advisory 2007:0132 : Updated X.org libXfont packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. X.org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. iDefense reported two integer overflows in the way X.org handled various font files. A malicious local user could exploit these issues to potentially execute arbitrary code with the privileges of the X.org server. (CVE-2007-1351, CVE-2007-1352) Users of X.org libXfont should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67468
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67468
    title Oracle Linux 5 : libXfont (ELSA-2007-0132)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-0125.NASL
    description Updated XFree86 packages that fix a number of security issues are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having important security impact by the Red Hat Security Response Team. XFree86 is an implementation of the X Window System, which provides the core functionality for the Linux graphical desktop. iDefense reported an integer overflow flaw in the XFree86 XC-MISC extension. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the XFree86 server. (CVE-2007-1003) iDefense reported two integer overflows in the way X.org handled various font files. A malicious local user could exploit these issues to potentially execute arbitrary code with the privileges of the X.org server. (CVE-2007-1351, CVE-2007-1352) An integer overflow flaw was found in the XFree86 XGetPixel() function. Improper use of this function could cause an application calling it to function improperly, possibly leading to a crash or arbitrary code execution. (CVE-2007-1667) Users of XFree86 should upgrade to these updated packages, which contain a backported patch and is not vulnerable to this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 24920
    published 2007-04-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24920
    title CentOS 3 : XFree86 (CESA-2007:0125)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-081.NASL
    description iDefense integer overflows in the way freetype handled various font files. A malicious local user could exploit these issues to potentially execute arbitrary code. Updated packages have been patched to correct this issue. Update : Packages for Mandriva Linux 2007.1 are now available.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 24947
    published 2007-04-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24947
    title Mandrake Linux Security Advisory : freetype2 (MDKSA-2007:081-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0125.NASL
    description Updated XFree86 packages that fix a number of security issues are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having important security impact by the Red Hat Security Response Team. XFree86 is an implementation of the X Window System, which provides the core functionality for the Linux graphical desktop. iDefense reported an integer overflow flaw in the XFree86 XC-MISC extension. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the XFree86 server. (CVE-2007-1003) iDefense reported two integer overflows in the way X.org handled various font files. A malicious local user could exploit these issues to potentially execute arbitrary code with the privileges of the X.org server. (CVE-2007-1351, CVE-2007-1352) An integer overflow flaw was found in the XFree86 XGetPixel() function. Improper use of this function could cause an application calling it to function improperly, possibly leading to a crash or arbitrary code execution. (CVE-2007-1667) Users of XFree86 should upgrade to these updated packages, which contain a backported patch and is not vulnerable to this issue.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 24949
    published 2007-04-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24949
    title RHEL 2.1 / 3 : XFree86 (RHSA-2007:0125)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_XORG-X11-SERVER-3082.NASL
    description Integer overflows in the XC-MISC extension of the X-server could potentially be exploited to execute code with root privileges (CVE-2007-1003). Integer overflows in libX11 could cause crashes (CVE-2007-1667). Integer overflows in the font handling of the X-server could potentially be exploited to execute code with root privileges (CVE-2007-1352, CVE-2007-1351).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27496
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27496
    title openSUSE 10 Security Update : xorg-x11-server (xorg-x11-server-3082)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-0126.NASL
    description Updated X.org packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. X.org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. iDefense reported an integer overflow flaw in the X.org XC-MISC extension. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with the privileges of the X.org server. (CVE-2007-1003) iDefense reported two integer overflows in the way X.org handled various font files. A malicious local user could exploit these issues to potentially execute arbitrary code with the privileges of the X.org server. (CVE-2007-1351, CVE-2007-1352) An integer overflow flaw was found in the X.org XGetPixel() function. Improper use of this function could cause an application calling it to function improperly, possibly leading to a crash or arbitrary code execution. (CVE-2007-1667) Users of X.org should upgrade to these updated packages, which contain a backported patch and are not vulnerable to these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25006
    published 2007-04-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25006
    title CentOS 4 : xorg (CESA-2007:0126)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_FREETYPE2-3067.NASL
    description This update of freetype2 fixes an integer overflow in the BDF font parsing code. This bug can be exploited only with user assistance to potentially execute arbitrary code. (CVE-2007-1351)
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 29437
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29437
    title SuSE 10 Security Update : freetype2 (ZYPP Patch Number 3067)
oval via4
  • accepted 2013-04-29T04:12:47.231-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 3
      oval oval:org.mitre.oval:def:11782
    • comment CentOS Linux 3.x
      oval oval:org.mitre.oval:def:16651
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    • comment The operating system installed on the system is Red Hat Enterprise Linux 5
      oval oval:org.mitre.oval:def:11414
    • comment The operating system installed on the system is CentOS Linux 5.x
      oval oval:org.mitre.oval:def:15802
    • comment Oracle Linux 5.x
      oval oval:org.mitre.oval:def:15459
    description Integer overflow in the bdfReadCharacters function in bdfread.c in (1) X.Org libXfont before 20070403 and (2) freetype 2.3.2 and earlier allows remote authenticated users to execute arbitrary code via crafted BDF fonts, which result in a heap overflow.
    family unix
    id oval:org.mitre.oval:def:11266
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title Integer overflow in the bdfReadCharacters function in bdfread.c in (1) X.Org libXfont before 20070403 and (2) freetype 2.3.2 and earlier allows remote authenticated users to execute arbitrary code via crafted BDF fonts, which result in a heap overflow.
    version 25
  • accepted 2007-09-06T09:13:28.469-04:00
    class vulnerability
    contributors
    name Pai Peng
    organization Opsware, Inc.
    definition_extensions
    • comment Solaris 8 (SPARC) is installed
      oval oval:org.mitre.oval:def:1539
    • comment Solaris 8 (SPARC) is installed
      oval oval:org.mitre.oval:def:1539
    • comment Solaris 9 (x86) is installed
      oval oval:org.mitre.oval:def:1683
    • comment Solaris 10 (x86) is installed
      oval oval:org.mitre.oval:def:1926
    • comment Solaris 10 (x86) is installed
      oval oval:org.mitre.oval:def:1926
    • comment Solaris 10 (x86) is installed
      oval oval:org.mitre.oval:def:1926
    • comment Solaris 9 (SPARC) is installed
      oval oval:org.mitre.oval:def:1457
    • comment Solaris 9 (SPARC) is installed
      oval oval:org.mitre.oval:def:1457
    • comment Solaris 10 (SPARC) is installed
      oval oval:org.mitre.oval:def:1440
    • comment Solaris 10 (SPARC) is installed
      oval oval:org.mitre.oval:def:1440
    • comment Solaris 8 (x86) is installed
      oval oval:org.mitre.oval:def:2059
    • comment Solaris 8 (x86) is installed
      oval oval:org.mitre.oval:def:2059
    • comment Solaris 9 (x86) is installed
      oval oval:org.mitre.oval:def:1683
    • comment Solaris 9 (x86) is installed
      oval oval:org.mitre.oval:def:1683
    description Integer overflow in the bdfReadCharacters function in bdfread.c in (1) X.Org libXfont before 20070403 and (2) freetype 2.3.2 and earlier allows remote authenticated users to execute arbitrary code via crafted BDF fonts, which result in a heap overflow.
    family unix
    id oval:org.mitre.oval:def:1810
    status accepted
    submitted 2007-07-30T08:16:45.000-04:00
    title Multiple vulnerabilities in libfreetype, Xsun(1) and Xorg(1)
    version 32
redhat via4
advisories
  • bugzilla
    id 234228
    title CVE-2007-1351 BDF font integer overflow
    oval
    OR
    • AND
      • comment Red Hat Enterprise Linux 3 is installed
        oval oval:com.redhat.rhba:tst:20070026001
      • OR
        • AND
          • comment freetype is earlier than 0:2.1.4-6.el3
            oval oval:com.redhat.rhsa:tst:20070150002
          • comment freetype is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070150003
        • AND
          • comment freetype-devel is earlier than 0:2.1.4-6.el3
            oval oval:com.redhat.rhsa:tst:20070150004
          • comment freetype-devel is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070150005
    • AND
      • comment Red Hat Enterprise Linux 4 is installed
        oval oval:com.redhat.rhba:tst:20070304001
      • OR
        • AND
          • comment freetype is earlier than 0:2.1.9-5.el4
            oval oval:com.redhat.rhsa:tst:20070150007
          • comment freetype is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070150003
        • AND
          • comment freetype-demos is earlier than 0:2.1.9-5.el4
            oval oval:com.redhat.rhsa:tst:20070150011
          • comment freetype-demos is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070150012
        • AND
          • comment freetype-devel is earlier than 0:2.1.9-5.el4
            oval oval:com.redhat.rhsa:tst:20070150008
          • comment freetype-devel is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070150005
        • AND
          • comment freetype-utils is earlier than 0:2.1.9-5.el4
            oval oval:com.redhat.rhsa:tst:20070150009
          • comment freetype-utils is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070150010
    • AND
      • comment Red Hat Enterprise Linux 5 is installed
        oval oval:com.redhat.rhba:tst:20070331001
      • OR
        • AND
          • comment freetype is earlier than 0:2.2.1-17.el5
            oval oval:com.redhat.rhsa:tst:20070150014
          • comment freetype is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070150015
        • AND
          • comment freetype-demos is earlier than 0:2.2.1-17.el5
            oval oval:com.redhat.rhsa:tst:20070150016
          • comment freetype-demos is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070150017
        • AND
          • comment freetype-devel is earlier than 0:2.2.1-17.el5
            oval oval:com.redhat.rhsa:tst:20070150018
          • comment freetype-devel is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070150019
    rhsa
    id RHSA-2007:0150
    released 2007-04-16
    severity Moderate
    title RHSA-2007:0150: freetype security update (Moderate)
  • rhsa
    id RHSA-2007:0125
  • rhsa
    id RHSA-2007:0126
  • rhsa
    id RHSA-2007:0132
rpms
  • XFree86-0:4.3.0-120.EL
  • XFree86-100dpi-fonts-0:4.3.0-120.EL
  • XFree86-75dpi-fonts-0:4.3.0-120.EL
  • XFree86-ISO8859-14-100dpi-fonts-0:4.3.0-120.EL
  • XFree86-ISO8859-14-75dpi-fonts-0:4.3.0-120.EL
  • XFree86-ISO8859-15-100dpi-fonts-0:4.3.0-120.EL
  • XFree86-ISO8859-15-75dpi-fonts-0:4.3.0-120.EL
  • XFree86-ISO8859-2-100dpi-fonts-0:4.3.0-120.EL
  • XFree86-ISO8859-2-75dpi-fonts-0:4.3.0-120.EL
  • XFree86-ISO8859-9-100dpi-fonts-0:4.3.0-120.EL
  • XFree86-ISO8859-9-75dpi-fonts-0:4.3.0-120.EL
  • XFree86-Mesa-libGL-0:4.3.0-120.EL
  • XFree86-Mesa-libGLU-0:4.3.0-120.EL
  • XFree86-Xnest-0:4.3.0-120.EL
  • XFree86-Xvfb-0:4.3.0-120.EL
  • XFree86-base-fonts-0:4.3.0-120.EL
  • XFree86-cyrillic-fonts-0:4.3.0-120.EL
  • XFree86-devel-0:4.3.0-120.EL
  • XFree86-doc-0:4.3.0-120.EL
  • XFree86-font-utils-0:4.3.0-120.EL
  • XFree86-libs-0:4.3.0-120.EL
  • XFree86-libs-data-0:4.3.0-120.EL
  • XFree86-sdk-0:4.3.0-120.EL
  • XFree86-syriac-fonts-0:4.3.0-120.EL
  • XFree86-tools-0:4.3.0-120.EL
  • XFree86-truetype-fonts-0:4.3.0-120.EL
  • XFree86-twm-0:4.3.0-120.EL
  • XFree86-xauth-0:4.3.0-120.EL
  • XFree86-xdm-0:4.3.0-120.EL
  • XFree86-xfs-0:4.3.0-120.EL
  • xorg-x11-0:6.8.2-1.EL.13.37.7
  • xorg-x11-Mesa-libGL-0:6.8.2-1.EL.13.37.7
  • xorg-x11-Mesa-libGLU-0:6.8.2-1.EL.13.37.7
  • xorg-x11-Xdmx-0:6.8.2-1.EL.13.37.7
  • xorg-x11-Xnest-0:6.8.2-1.EL.13.37.7
  • xorg-x11-Xvfb-0:6.8.2-1.EL.13.37.7
  • xorg-x11-deprecated-libs-0:6.8.2-1.EL.13.37.7
  • xorg-x11-deprecated-libs-devel-0:6.8.2-1.EL.13.37.7
  • xorg-x11-devel-0:6.8.2-1.EL.13.37.7
  • xorg-x11-doc-0:6.8.2-1.EL.13.37.7
  • xorg-x11-font-utils-0:6.8.2-1.EL.13.37.7
  • xorg-x11-libs-0:6.8.2-1.EL.13.37.7
  • xorg-x11-sdk-0:6.8.2-1.EL.13.37.7
  • xorg-x11-tools-0:6.8.2-1.EL.13.37.7
  • xorg-x11-twm-0:6.8.2-1.EL.13.37.7
  • xorg-x11-xauth-0:6.8.2-1.EL.13.37.7
  • xorg-x11-xdm-0:6.8.2-1.EL.13.37.7
  • xorg-x11-xfs-0:6.8.2-1.EL.13.37.7
  • libXfont-0:1.2.2-1.0.2.el5
  • libXfont-devel-0:1.2.2-1.0.2.el5
  • freetype-0:2.1.4-6.el3
  • freetype-devel-0:2.1.4-6.el3
  • freetype-0:2.1.9-5.el4
  • freetype-demos-0:2.1.9-5.el4
  • freetype-devel-0:2.1.9-5.el4
  • freetype-utils-0:2.1.9-5.el4
  • freetype-0:2.2.1-17.el5
  • freetype-demos-0:2.2.1-17.el5
  • freetype-devel-0:2.2.1-17.el5
refmap via4
apple
  • APPLE-SA-2007-11-14
  • APPLE-SA-2009-02-12
bid
  • 23283
  • 23300
  • 23402
bugtraq
  • 20070404 rPSA-2007-0065-1 freetype xorg-x11 xorg-x11-fonts xorg-x11-tools xorg-x11-xfs
  • 20070405 FLEA-2007-0009-1: xorg-x11 freetype
confirm
debian
  • DSA-1294
  • DSA-1454
gentoo
  • GLSA-200705-02
  • GLSA-200705-10
  • GLSA-200805-07
idefense 20070403 Multiple Vendor X Server BDF Font Parsing Integer Overflow Vulnerability
mandriva
  • MDKSA-2007:079
  • MDKSA-2007:080
  • MDKSA-2007:081
mlist [xorg-announce] 20070403 various integer overflow vulnerabilites in xserver, libX11 and libXfont
openbsd
  • [3.9] 021: SECURITY FIX: April 4, 2007
  • [4.0] 011: SECURITY FIX: April 4, 2007
sectrack 1017857
secunia
  • 24741
  • 24745
  • 24756
  • 24758
  • 24765
  • 24768
  • 24770
  • 24771
  • 24772
  • 24776
  • 24791
  • 24885
  • 24889
  • 24921
  • 24996
  • 25004
  • 25006
  • 25096
  • 25195
  • 25216
  • 25305
  • 25495
  • 28333
  • 30161
  • 33937
slackware SSA:2007-109-01
sunalert 102886
suse
  • SUSE-SA:2007:027
  • SUSE-SR:2007:006
trustix 2007-0013
ubuntu USN-448-1
vupen
  • ADV-2007-1217
  • ADV-2007-1264
  • ADV-2007-1548
xf xorg-bdf-font-bo(33417)
Last major update 19-02-2017 - 00:17
Published 05-04-2007 - 21:19
Last modified 16-10-2018 - 12:38
Back to Top