// For flags

CVE-2007-4568

xfs integer overflow in the build_range function

Severity Score

9.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Integer overflow in the build_range function in X.Org X Font Server (xfs) before 1.0.5 allows context-dependent attackers to execute arbitrary code via (1) QueryXBitmaps and (2) QueryXExtents protocol requests with crafted size values, which triggers a heap-based buffer overflow.

Desbordamiento de entero en la función build_range de X.Org X Font Server (xfs) anterior a 1.0.5 permite a atacantes locales o remotos (dependiendo del contexto) ejecutar código de su elección a través de peticiones de protocolo (2) QueryXBitmaps y (2) QueryXExtents con valores de tamaño manipulados, lo cual dispara un desbordamiento de búfer basado en montículo.

Integer overflow in the build_range function in X.Org X Font Server (xfs) before 1.0.5 allows context-dependent attackers to execute arbitrary code via (1) QueryXBitmaps and (2) QueryXExtents protocol requests with crafted size values, which triggers a heap-based buffer overflow. The swap_char2b function in X.Org X Font Server (xfs) before 1.0.5 allows context-dependent attackers to execute arbitrary code via (1) QueryXBitmaps and (2) QueryXExtents protocol requests with crafted size values that specify an arbitrary number of bytes to be swapped on the heap, which triggers heap corruption.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2007-08-28 CVE Reserved
  • 2007-10-03 CVE Published
  • 2024-08-07 CVE Updated
  • 2025-07-31 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
  • CWE-189: Numeric Errors
  • CWE-190: Integer Overflow or Wraparound
CAPEC
References (44)
URL Tag Source
http://bugs.freedesktop.org/show_bug.cgi?id=12298 X_refsource_confirm
http://bugs.gentoo.org/show_bug.cgi?id=194606 X_refsource_confirm
http://docs.info.apple.com/article.html?artnum=307430 X_refsource_confirm
http://docs.info.apple.com/article.html?artnum=307562 X_refsource_confirm
http://secunia.com/advisories/27040 Third Party Advisory
http://secunia.com/advisories/27052 Third Party Advisory
http://secunia.com/advisories/27060 Third Party Advisory
http://secunia.com/advisories/27168 Third Party Advisory
http://secunia.com/advisories/27176 Third Party Advisory
http://secunia.com/advisories/27228 Third Party Advisory
http://secunia.com/advisories/27240 Third Party Advisory
http://secunia.com/advisories/27560 Third Party Advisory
http://secunia.com/advisories/28004 Third Party Advisory
http://secunia.com/advisories/28536 Third Party Advisory
http://secunia.com/advisories/28542 Third Party Advisory
http://secunia.com/advisories/28891 Third Party Advisory
http://secunia.com/advisories/29420 Third Party Advisory
http://www.securityfocus.com/archive/1/481432/100/0/threaded Mailing List
http://www.securityfocus.com/bid/25898 Vdb Entry
http://www.securitytracker.com/id?1018763 Vdb Entry
http://www.us-cert.gov/cas/techalerts/TA08-043B.html Third Party Advisory
http://www.vupen.com/english/advisories/2007/3337 Vdb Entry
http://www.vupen.com/english/advisories/2007/3338 Vdb Entry
http://www.vupen.com/english/advisories/2007/3467 Vdb Entry
http://www.vupen.com/english/advisories/2008/0495/references Vdb Entry
http://www.vupen.com/english/advisories/2008/0924/references Vdb Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/36919 Vdb Entry
https://issues.rpath.com/browse/RPL-1756 X_refsource_confirm
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10882 Signature
URL Date SRC
URL Date SRC
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=602 2023-02-13
http://lists.freedesktop.org/archives/xorg-announce/2007-October/000416.html 2023-02-13
URL Date SRC
http://lists.apple.com/archives/security-announce/2008/Feb/msg00002.html 2023-02-13
http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html 2023-02-13
http://security.gentoo.org/glsa/glsa-200710-11.xml 2023-02-13
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103114-1 2023-02-13
http://sunsolve.sun.com/search/document.do?assetkey=1-66-200642-1 2023-02-13
http://www.debian.org/security/2007/dsa-1385 2023-02-13
http://www.mandriva.com/security/advisories?name=MDKSA-2007:210 2023-02-13
http://www.novell.com/linux/security/advisories/2007_54_xorg.html 2023-02-13
http://www.redhat.com/support/errata/RHSA-2008-0029.html 2023-02-13
http://www.redhat.com/support/errata/RHSA-2008-0030.html 2023-02-13
https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00352.html 2023-02-13
https://access.redhat.com/security/cve/CVE-2007-4568 2008-01-17
https://bugzilla.redhat.com/show_bug.cgi?id=281921 2008-01-17
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
X.org
Search vendor "X.org"
 X Font Server
Search vendor "X.org" for product "X Font Server"
 1.0.1
Search vendor "X.org" for product "X Font Server" and version "1.0.1"
-
Affected
X.org
Search vendor "X.org"
 X Font Server
Search vendor "X.org" for product "X Font Server"
 1.0.2
Search vendor "X.org" for product "X Font Server" and version "1.0.2"
-
Affected
X.org
Search vendor "X.org"
 X Font Server
Search vendor "X.org" for product "X Font Server"
 1.0.4
Search vendor "X.org" for product "X Font Server" and version "1.0.4"
-
Affected