Public bug reported: Binary package hint: xfs
References: [1] http://lists.freedesktop.org/archives/xorg-announce/2007-October/000416.html [2] http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=602 Affected versions: According to [1], all prior to xfs 1.0.5 Short summary [from [1]: "Several vulnerabilities have been identified in xfs, the X font server. The QueryXBitmaps and QueryXExtents protocol requests suffer from lack of validation of their 'length' parameters. [...] These vulnerabilities can lead to code execution in the font server. On most modern systems, the font server is accessible only for local clients and runs with reduced privileges. But on some systems it may still be accessible from remote clients and possibly running with root privileges, creating an opportunity for remote privilege escalation." Patch for xfs 1.0.4 (included in X11R7.3): ftp://ftp.freedesktop.org/pub/X11R7.3/patches/xorg-xfs-1.0.4-query.diff The patch could be added to Gutsy before release; although, xfs is part of universe. ** Affects: xfs (Ubuntu) Importance: Undecided Status: New ** Visibility changed to: Public ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2007-4568 -- [X font server] integer overflow and heap corruption vulnerability https://bugs.launchpad.net/bugs/148940 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
