Public bug reported:

Binary package hint: xfs

References:
[1] http://lists.freedesktop.org/archives/xorg-announce/2007-October/000416.html
[2] http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=602

Affected versions:
According to [1], all prior to xfs 1.0.5

Short summary [from [1]:
"Several vulnerabilities have been identified in xfs, the X font
server.  The QueryXBitmaps and QueryXExtents protocol requests suffer
from lack of validation of their 'length' parameters.
[...]
These vulnerabilities can lead to code execution in the font
server. On most modern systems, the font server is accessible only for
local clients and runs with reduced privileges. But on some systems it
may still be accessible from remote clients and possibly running with
root privileges, creating an opportunity for remote privilege
escalation."

Patch for xfs 1.0.4 (included in X11R7.3):
ftp://ftp.freedesktop.org/pub/X11R7.3/patches/xorg-xfs-1.0.4-query.diff

The patch could be added to Gutsy before release; although, xfs is part
of universe.

** Affects: xfs (Ubuntu)
     Importance: Undecided
         Status: New

** Visibility changed to: Public

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2007-4568

-- 
[X font server] integer overflow and heap corruption vulnerability
https://bugs.launchpad.net/bugs/148940
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug contact for Ubuntu.

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to