ID CVE-2007-6429
Summary Multiple integer overflows in X.Org Xserver before 1.4.1 allow context-dependent attackers to execute arbitrary code via (1) a GetVisualInfo request containing a 32-bit value that is improperly used to calculate an amount of memory for allocation by the EVI extension, or (2) a request containing values related to pixmap size that are improperly used in management of shared memory by the MIT-SHM extension.
References
Vulnerable Configurations
  • cpe:2.3:a:x.org:evi:*:*:*:*:*:*:*:*
    cpe:2.3:a:x.org:evi:*:*:*:*:*:*:*:*
  • cpe:2.3:a:x.org:mit-shm:*:*:*:*:*:*:*:*
    cpe:2.3:a:x.org:mit-shm:*:*:*:*:*:*:*:*
  • cpe:2.3:a:x.org:xserver:*:*:*:*:*:*:*:*
    cpe:2.3:a:x.org:xserver:*:*:*:*:*:*:*:*
CVSS
Base: 9.3 (as of 15-10-2018 - 21:53)
Impact:
Exploitability:
CWE CWE-362
CAPEC
  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
cvss-vector via4 AV:N/AC:M/Au:N/C:C/I:C/A:C
oval via4
accepted 2013-04-29T04:11:02.244-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description Multiple integer overflows in X.Org Xserver before 1.4.1 allow context-dependent attackers to execute arbitrary code via (1) a GetVisualInfo request containing a 32-bit value that is improperly used to calculate an amount of memory for allocation by the EVI extension, or (2) a request containing values related to pixmap size that are improperly used in management of shared memory by the MIT-SHM extension.
family unix
id oval:org.mitre.oval:def:11045
status accepted
submitted 2010-07-09T03:56:16-04:00
title Multiple integer overflows in X.Org Xserver before 1.4.1 allow context-dependent attackers to execute arbitrary code via (1) a GetVisualInfo request containing a 32-bit value that is improperly used to calculate an amount of memory for allocation by the EVI extension, or (2) a request containing values related to pixmap size that are improperly used in management of shared memory by the MIT-SHM extension.
version 24
redhat via4
advisories
  • bugzilla
    id 414031
    title CVE-2007-5760 xorg: invalid array indexing in XFree86-Misc extension
    oval
    AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331001
    • OR
      • AND
        • comment xorg-x11-server-Xdmx is earlier than 0:1.1.1-48.26.el5_1.5
          oval oval:com.redhat.rhsa:tst:20080031008
        • comment xorg-x11-server-Xdmx is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070127003
      • AND
        • comment xorg-x11-server-Xephyr is earlier than 0:1.1.1-48.26.el5_1.5
          oval oval:com.redhat.rhsa:tst:20080031002
        • comment xorg-x11-server-Xephyr is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070127011
      • AND
        • comment xorg-x11-server-Xnest is earlier than 0:1.1.1-48.26.el5_1.5
          oval oval:com.redhat.rhsa:tst:20080031004
        • comment xorg-x11-server-Xnest is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070127013
      • AND
        • comment xorg-x11-server-Xorg is earlier than 0:1.1.1-48.26.el5_1.5
          oval oval:com.redhat.rhsa:tst:20080031012
        • comment xorg-x11-server-Xorg is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070127007
      • AND
        • comment xorg-x11-server-Xvfb is earlier than 0:1.1.1-48.26.el5_1.5
          oval oval:com.redhat.rhsa:tst:20080031006
        • comment xorg-x11-server-Xvfb is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070127009
      • AND
        • comment xorg-x11-server-sdk is earlier than 0:1.1.1-48.26.el5_1.5
          oval oval:com.redhat.rhsa:tst:20080031010
        • comment xorg-x11-server-sdk is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070127005
    rhsa
    id RHSA-2008:0031
    released 2008-01-17
    severity Important
    title RHSA-2008:0031: xorg-x11-server security update (Important)
  • rhsa
    id RHSA-2008:0029
  • rhsa
    id RHSA-2008:0030
rpms
  • XFree86-0:4.3.0-126.EL
  • XFree86-100dpi-fonts-0:4.3.0-126.EL
  • XFree86-75dpi-fonts-0:4.3.0-126.EL
  • XFree86-ISO8859-14-100dpi-fonts-0:4.3.0-126.EL
  • XFree86-ISO8859-14-75dpi-fonts-0:4.3.0-126.EL
  • XFree86-ISO8859-15-100dpi-fonts-0:4.3.0-126.EL
  • XFree86-ISO8859-15-75dpi-fonts-0:4.3.0-126.EL
  • XFree86-ISO8859-2-100dpi-fonts-0:4.3.0-126.EL
  • XFree86-ISO8859-2-75dpi-fonts-0:4.3.0-126.EL
  • XFree86-ISO8859-9-100dpi-fonts-0:4.3.0-126.EL
  • XFree86-ISO8859-9-75dpi-fonts-0:4.3.0-126.EL
  • XFree86-Mesa-libGL-0:4.3.0-126.EL
  • XFree86-Mesa-libGLU-0:4.3.0-126.EL
  • XFree86-Xnest-0:4.3.0-126.EL
  • XFree86-Xvfb-0:4.3.0-126.EL
  • XFree86-base-fonts-0:4.3.0-126.EL
  • XFree86-cyrillic-fonts-0:4.3.0-126.EL
  • XFree86-devel-0:4.3.0-126.EL
  • XFree86-doc-0:4.3.0-126.EL
  • XFree86-font-utils-0:4.3.0-126.EL
  • XFree86-libs-0:4.3.0-126.EL
  • XFree86-libs-data-0:4.3.0-126.EL
  • XFree86-sdk-0:4.3.0-126.EL
  • XFree86-syriac-fonts-0:4.3.0-126.EL
  • XFree86-tools-0:4.3.0-126.EL
  • XFree86-truetype-fonts-0:4.3.0-126.EL
  • XFree86-twm-0:4.3.0-126.EL
  • XFree86-xauth-0:4.3.0-126.EL
  • XFree86-xdm-0:4.3.0-126.EL
  • XFree86-xfs-0:4.3.0-126.EL
  • xorg-x11-0:6.8.2-1.EL.33.0.2
  • xorg-x11-Mesa-libGL-0:6.8.2-1.EL.33.0.2
  • xorg-x11-Mesa-libGLU-0:6.8.2-1.EL.33.0.2
  • xorg-x11-Xdmx-0:6.8.2-1.EL.33.0.2
  • xorg-x11-Xnest-0:6.8.2-1.EL.33.0.2
  • xorg-x11-Xvfb-0:6.8.2-1.EL.33.0.2
  • xorg-x11-deprecated-libs-0:6.8.2-1.EL.33.0.2
  • xorg-x11-deprecated-libs-devel-0:6.8.2-1.EL.33.0.2
  • xorg-x11-devel-0:6.8.2-1.EL.33.0.2
  • xorg-x11-doc-0:6.8.2-1.EL.33.0.2
  • xorg-x11-font-utils-0:6.8.2-1.EL.33.0.2
  • xorg-x11-libs-0:6.8.2-1.EL.33.0.2
  • xorg-x11-sdk-0:6.8.2-1.EL.33.0.2
  • xorg-x11-tools-0:6.8.2-1.EL.33.0.2
  • xorg-x11-twm-0:6.8.2-1.EL.33.0.2
  • xorg-x11-xauth-0:6.8.2-1.EL.33.0.2
  • xorg-x11-xdm-0:6.8.2-1.EL.33.0.2
  • xorg-x11-xfs-0:6.8.2-1.EL.33.0.2
  • xorg-x11-server-Xdmx-0:1.1.1-48.26.el5_1.5
  • xorg-x11-server-Xephyr-0:1.1.1-48.26.el5_1.5
  • xorg-x11-server-Xnest-0:1.1.1-48.26.el5_1.5
  • xorg-x11-server-Xorg-0:1.1.1-48.26.el5_1.5
  • xorg-x11-server-Xvfb-0:1.1.1-48.26.el5_1.5
  • xorg-x11-server-sdk-0:1.1.1-48.26.el5_1.5
refmap via4
apple APPLE-SA-2008-03-18
bid
  • 27336
  • 27350
  • 27353
bugtraq 20080130 rPSA-2008-0032-1 xorg-x11 xorg-x11-fonts xorg-x11-tools xorg-x11-xfs
confirm
debian DSA-1466
fedora
  • FEDORA-2008-0760
  • FEDORA-2008-0831
gentoo
  • GLSA-200801-09
  • GLSA-200804-05
  • GLSA-200805-07
hp
  • HPSBUX02381
  • SSRT080083
idefense 20080117 Multiple Vendor X Server EVI and MIT-SHM Extensions Integer Overflow Vulnerabilities
mandriva
  • MDVSA-2008:021
  • MDVSA-2008:022
  • MDVSA-2008:023
  • MDVSA-2008:025
mlist [xorg] 20080117 X.Org security advisory: multiple vulnerabilities in the X server
openbsd
  • [4.1] 20080208 012: SECURITY FIX: February 8, 2008
  • [4.2] 20080208 006: SECURITY FIX: February 8, 2008
sectrack 1019232
secunia
  • 28273
  • 28532
  • 28535
  • 28536
  • 28539
  • 28540
  • 28542
  • 28543
  • 28550
  • 28584
  • 28592
  • 28616
  • 28693
  • 28718
  • 28838
  • 28843
  • 28885
  • 28941
  • 29139
  • 29420
  • 29622
  • 29707
  • 30161
  • 32545
sunalert
  • 103200
  • 200153
suse
  • SUSE-SA:2008:003
  • SUSE-SR:2008:003
  • SUSE-SR:2008:008
ubuntu USN-571-1
vupen
  • ADV-2008-0179
  • ADV-2008-0184
  • ADV-2008-0497
  • ADV-2008-0703
  • ADV-2008-0924
  • ADV-2008-3000
xf
  • xorg-evi-bo(39763)
  • xorg-mitshm-overflow(39764)
Last major update 15-10-2018 - 21:53
Published 18-01-2008 - 23:00
Back to Top