// For flags

CVE-2007-4990

xfs heap overflow in the swap_char2b function

Severity Score

7.5
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The swap_char2b function in X.Org X Font Server (xfs) before 1.0.5 allows context-dependent attackers to execute arbitrary code via (1) QueryXBitmaps and (2) QueryXExtents protocol requests with crafted size values that specify an arbitrary number of bytes to be swapped on the heap, which triggers heap corruption.

La función swap_char2b de X.Org X Font Server (xfs) anterior a 1.0.5 permite a atacantes locales o remotos (dependiendo del contexto) ejecutar código de su elección mediante peticiones de protocolo (1) QueryXBitmaps y (2) QueryXExtents con valores de tamaño manipulados que especifican un número arbitrario de bytes para ser intercambiados en el montículo, lo que produce una corrupción del montículo.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2007-09-19 CVE Reserved
  • 2007-10-05 CVE Published
  • 2024-08-07 CVE Updated
  • 2024-08-08 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-122: Heap-based Buffer Overflow
  • CWE-189: Numeric Errors
CAPEC
References (40)
URL Tag Source
http://bugs.freedesktop.org/show_bug.cgi?id=12299 X_refsource_confirm
http://bugs.gentoo.org/show_bug.cgi?id=194606 X_refsource_confirm
http://docs.info.apple.com/article.html?artnum=307562 X_refsource_confirm
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=602 Third Party Advisory
http://lists.freedesktop.org/archives/xorg-announce/2007-October/000416.html Mailing List
http://secunia.com/advisories/27040 Third Party Advisory
http://secunia.com/advisories/27052 Third Party Advisory
http://secunia.com/advisories/27060 Third Party Advisory
http://secunia.com/advisories/27176 Third Party Advisory
http://secunia.com/advisories/27228 Third Party Advisory
http://secunia.com/advisories/27240 Third Party Advisory
http://secunia.com/advisories/27560 Third Party Advisory
http://secunia.com/advisories/28004 Third Party Advisory
http://secunia.com/advisories/28514 Third Party Advisory
http://secunia.com/advisories/28536 Third Party Advisory
http://secunia.com/advisories/28542 Third Party Advisory
http://secunia.com/advisories/29420 Third Party Advisory
http://www.securityfocus.com/archive/1/481432/100/0/threaded Mailing List
http://www.securityfocus.com/bid/25898 Vdb Entry
http://www.securitytracker.com/id?1018763 Vdb Entry
http://www.vupen.com/english/advisories/2007/3337 Vdb Entry
http://www.vupen.com/english/advisories/2007/3338 Vdb Entry
http://www.vupen.com/english/advisories/2007/3467 Vdb Entry
http://www.vupen.com/english/advisories/2008/0149 Vdb Entry
http://www.vupen.com/english/advisories/2008/0924/references Vdb Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/36920 Vdb Entry
https://issues.rpath.com/browse/RPL-1756 X_refsource_confirm
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11599 Signature
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
X.org
Search vendor "X.org"
X Font Server
Search vendor "X.org" for product "X Font Server"
<= 1.0.4
Search vendor "X.org" for product "X Font Server" and version " <= 1.0.4"
-
Affected