CVE-2007-6429 - Multiple integer overflows in X.Org Xserver before 1.4.1 allow context-dependent attackers to execut

CVE-2007-6429

Summary

Multiple integer overflows in X.Org Xserver before 1.4.1 allow context-dependent attackers to execute arbitrary code via (1) a GetVisualInfo request containing a 32-bit value that is improperly used to calculate an amount of memory for allocation by the EVI extension, or (2) a request containing values related to pixmap size that are improperly used in management of shared memory by the MIT-SHM extension.

References

Vulnerable Configurations

cpe:2.3:a:x.org:evi:*:*:*:*:*:*:*:*
cpe:2.3:a:x.org:evi:*:*:*:*:*:*:*:*
cpe:2.3:a:x.org:mit-shm:*:*:*:*:*:*:*:*
cpe:2.3:a:x.org:mit-shm:*:*:*:*:*:*:*:*
cpe:2.3:a:x.org:xserver:*:*:*:*:*:*:*:*
cpe:2.3:a:x.org:xserver:*:*:*:*:*:*:*:*

CVSS

Base:	9.3 (as of 15-10-2018 - 21:53)
Impact:
Exploitability:

CWE

CWE-362

CAPEC

Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with his version and cause the system to read the malicious file.
Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:N/AC:M/Au:N/C:C/I:C/A:C

oval via4

accepted

2013-04-29T04:11:02.244-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 3
oval oval:org.mitre.oval:def:11782
comment CentOS Linux 3.x
oval oval:org.mitre.oval:def:16651
comment The operating system installed on the system is Red Hat Enterprise Linux 4
oval oval:org.mitre.oval:def:11831
comment CentOS Linux 4.x
oval oval:org.mitre.oval:def:16636
comment Oracle Linux 4.x
oval oval:org.mitre.oval:def:15990
comment The operating system installed on the system is Red Hat Enterprise Linux 5
oval oval:org.mitre.oval:def:11414
comment The operating system installed on the system is CentOS Linux 5.x
oval oval:org.mitre.oval:def:15802
comment Oracle Linux 5.x
oval oval:org.mitre.oval:def:15459

description

family

unix

oval:org.mitre.oval:def:11045

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

version

redhat via4

advisories

bugzilla

id	414031
title	CVE-2007-5760 xorg: invalid array indexing in XFree86-Misc extension

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 5 is installed
oval oval:com.redhat.rhba:tst:20070331005

AND

comment xorg-x11-server-Xdmx is earlier than 0:1.1.1-48.26.el5_1.5
oval oval:com.redhat.rhsa:tst:20080031001
comment xorg-x11-server-Xdmx is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070127002

AND

comment xorg-x11-server-Xephyr is earlier than 0:1.1.1-48.26.el5_1.5
oval oval:com.redhat.rhsa:tst:20080031003
comment xorg-x11-server-Xephyr is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070127004

AND

comment xorg-x11-server-Xnest is earlier than 0:1.1.1-48.26.el5_1.5
oval oval:com.redhat.rhsa:tst:20080031005
comment xorg-x11-server-Xnest is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070127006

AND

comment xorg-x11-server-Xorg is earlier than 0:1.1.1-48.26.el5_1.5
oval oval:com.redhat.rhsa:tst:20080031007
comment xorg-x11-server-Xorg is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070127008

AND

comment xorg-x11-server-Xvfb is earlier than 0:1.1.1-48.26.el5_1.5
oval oval:com.redhat.rhsa:tst:20080031009
comment xorg-x11-server-Xvfb is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070127010

AND

comment xorg-x11-server-sdk is earlier than 0:1.1.1-48.26.el5_1.5
oval oval:com.redhat.rhsa:tst:20080031011
comment xorg-x11-server-sdk is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070127012

rhsa

id	RHSA-2008:0031
released	2008-01-17
severity	Important
title	RHSA-2008:0031: xorg-x11-server security update (Important)

rhsa
id RHSA-2008:0029
rhsa
id RHSA-2008:0030

rpms

XFree86-0:4.1.0-86.EL
XFree86-0:4.3.0-126.EL
XFree86-100dpi-fonts-0:4.1.0-86.EL
XFree86-100dpi-fonts-0:4.3.0-126.EL
XFree86-75dpi-fonts-0:4.1.0-86.EL
XFree86-75dpi-fonts-0:4.3.0-126.EL
XFree86-ISO8859-14-100dpi-fonts-0:4.3.0-126.EL
XFree86-ISO8859-14-75dpi-fonts-0:4.3.0-126.EL
XFree86-ISO8859-15-100dpi-fonts-0:4.1.0-86.EL
XFree86-ISO8859-15-100dpi-fonts-0:4.3.0-126.EL
XFree86-ISO8859-15-75dpi-fonts-0:4.1.0-86.EL
XFree86-ISO8859-15-75dpi-fonts-0:4.3.0-126.EL
XFree86-ISO8859-2-100dpi-fonts-0:4.1.0-86.EL
XFree86-ISO8859-2-100dpi-fonts-0:4.3.0-126.EL
XFree86-ISO8859-2-75dpi-fonts-0:4.1.0-86.EL
XFree86-ISO8859-2-75dpi-fonts-0:4.3.0-126.EL
XFree86-ISO8859-9-100dpi-fonts-0:4.1.0-86.EL
XFree86-ISO8859-9-100dpi-fonts-0:4.3.0-126.EL
XFree86-ISO8859-9-75dpi-fonts-0:4.1.0-86.EL
XFree86-ISO8859-9-75dpi-fonts-0:4.3.0-126.EL
XFree86-Mesa-libGL-0:4.3.0-126.EL
XFree86-Mesa-libGLU-0:4.3.0-126.EL
XFree86-Xnest-0:4.1.0-86.EL
XFree86-Xnest-0:4.3.0-126.EL
XFree86-Xvfb-0:4.1.0-86.EL
XFree86-Xvfb-0:4.3.0-126.EL
XFree86-base-fonts-0:4.3.0-126.EL
XFree86-cyrillic-fonts-0:4.1.0-86.EL
XFree86-cyrillic-fonts-0:4.3.0-126.EL
XFree86-devel-0:4.1.0-86.EL
XFree86-devel-0:4.3.0-126.EL
XFree86-doc-0:4.1.0-86.EL
XFree86-doc-0:4.3.0-126.EL
XFree86-font-utils-0:4.3.0-126.EL
XFree86-libs-0:4.1.0-86.EL
XFree86-libs-0:4.3.0-126.EL
XFree86-libs-data-0:4.3.0-126.EL
XFree86-sdk-0:4.3.0-126.EL
XFree86-syriac-fonts-0:4.3.0-126.EL
XFree86-tools-0:4.1.0-86.EL
XFree86-tools-0:4.3.0-126.EL
XFree86-truetype-fonts-0:4.3.0-126.EL
XFree86-twm-0:4.1.0-86.EL
XFree86-twm-0:4.3.0-126.EL
XFree86-xauth-0:4.3.0-126.EL
XFree86-xdm-0:4.1.0-86.EL
XFree86-xdm-0:4.3.0-126.EL
XFree86-xf86cfg-0:4.1.0-86.EL
XFree86-xfs-0:4.1.0-86.EL
XFree86-xfs-0:4.3.0-126.EL
xorg-x11-0:6.8.2-1.EL.33.0.2
xorg-x11-Mesa-libGL-0:6.8.2-1.EL.33.0.2
xorg-x11-Mesa-libGLU-0:6.8.2-1.EL.33.0.2
xorg-x11-Xdmx-0:6.8.2-1.EL.33.0.2
xorg-x11-Xnest-0:6.8.2-1.EL.33.0.2
xorg-x11-Xvfb-0:6.8.2-1.EL.33.0.2
xorg-x11-deprecated-libs-0:6.8.2-1.EL.33.0.2
xorg-x11-deprecated-libs-devel-0:6.8.2-1.EL.33.0.2
xorg-x11-devel-0:6.8.2-1.EL.33.0.2
xorg-x11-doc-0:6.8.2-1.EL.33.0.2
xorg-x11-font-utils-0:6.8.2-1.EL.33.0.2
xorg-x11-libs-0:6.8.2-1.EL.33.0.2
xorg-x11-sdk-0:6.8.2-1.EL.33.0.2
xorg-x11-tools-0:6.8.2-1.EL.33.0.2
xorg-x11-twm-0:6.8.2-1.EL.33.0.2
xorg-x11-xauth-0:6.8.2-1.EL.33.0.2
xorg-x11-xdm-0:6.8.2-1.EL.33.0.2
xorg-x11-xfs-0:6.8.2-1.EL.33.0.2
xorg-x11-server-Xdmx-0:1.1.1-48.26.el5_1.5
xorg-x11-server-Xephyr-0:1.1.1-48.26.el5_1.5
xorg-x11-server-Xnest-0:1.1.1-48.26.el5_1.5
xorg-x11-server-Xorg-0:1.1.1-48.26.el5_1.5
xorg-x11-server-Xvfb-0:1.1.1-48.26.el5_1.5
xorg-x11-server-debuginfo-0:1.1.1-48.26.el5_1.5
xorg-x11-server-sdk-0:1.1.1-48.26.el5_1.5

refmap via4

apple	APPLE-SA-2008-03-18
bid	27336 27350 27353
bugtraq	20080130 rPSA-2008-0032-1 xorg-x11 xorg-x11-fonts xorg-x11-tools xorg-x11-xfs
confirm	http://bugs.gentoo.org/show_bug.cgi?id=204362 http://docs.info.apple.com/article.html?artnum=307562 http://support.avaya.com/elmodocs2/security/ASA-2008-039.htm http://support.avaya.com/elmodocs2/security/ASA-2008-078.htm http://www14.software.ibm.com/webapp/set2/subscriptions/ijhifoeblist?mode=7&heading=AIX61&path=/200802/SECURITY/20080227/datafile112539&label=AIX%20X%20server%20multiple%20vulnerabilities https://issues.rpath.com/browse/RPL-2010
debian	DSA-1466
fedora	FEDORA-2008-0760 FEDORA-2008-0831
gentoo	GLSA-200801-09 GLSA-200804-05 GLSA-200805-07
hp	HPSBUX02381 SSRT080083
idefense	20080117 Multiple Vendor X Server EVI and MIT-SHM Extensions Integer Overflow Vulnerabilities
mandriva	MDVSA-2008:021 MDVSA-2008:022 MDVSA-2008:023 MDVSA-2008:025
mlist	[xorg] 20080117 X.Org security advisory: multiple vulnerabilities in the X server
openbsd	[4.1] 20080208 012: SECURITY FIX: February 8, 2008 [4.2] 20080208 006: SECURITY FIX: February 8, 2008
sectrack	1019232
secunia	28273 28532 28535 28536 28539 28540 28542 28543 28550 28584 28592 28616 28693 28718 28838 28843 28885 28941 29139 29420 29622 29707 30161 32545
sunalert	103200 200153
suse	SUSE-SA:2008:003 SUSE-SR:2008:003 SUSE-SR:2008:008
ubuntu	USN-571-1
vupen	ADV-2008-0179 ADV-2008-0184 ADV-2008-0497 ADV-2008-0703 ADV-2008-0924 ADV-2008-3000
xf	xorg-evi-bo(39763) xorg-mitshm-overflow(39764)

Last major update

15-10-2018 - 21:53

Published

18-01-2008 - 23:00

Last modified

15-10-2018 - 21:53