Vulnerabilities > CVE-2004-0094 - Buffer Overflow vulnerability in XFree86 Direct Rendering Infrastructure
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Integer signedness errors in XFree86 4.1.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code when using the GLX extension and Direct Rendering Infrastructure (DRI).
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 7 |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-443.NASL description A number of vulnerabilities have been discovered in XFree86. The corrections are listed below with the identification from the Common Vulnerabilities and Exposures (CVE) project : - CAN-2004-0083 : Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CAN-2004-0084. - CAN-2004-0084 : Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CAN-2004-0083. - CAN-2004-0106 : Miscellaneous additional flaws in XFree86 last seen 2020-06-01 modified 2020-06-02 plugin id 15280 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15280 title Debian DSA-443-1 : xfree86 - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-443. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15280); script_version("1.23"); script_cvs_date("Date: 2019/08/02 13:32:17"); script_cve_id("CVE-2003-0690", "CVE-2004-0083", "CVE-2004-0084", "CVE-2004-0093", "CVE-2004-0094", "CVE-2004-0106"); script_bugtraq_id(9636, 9652, 9655, 9701); script_xref(name:"DSA", value:"443"); script_name(english:"Debian DSA-443-1 : xfree86 - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "A number of vulnerabilities have been discovered in XFree86. The corrections are listed below with the identification from the Common Vulnerabilities and Exposures (CVE) project : - CAN-2004-0083 : Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CAN-2004-0084. - CAN-2004-0084 : Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CAN-2004-0083. - CAN-2004-0106 : Miscellaneous additional flaws in XFree86's handling of font files. - CAN-2003-0690 : xdm does not verify whether the pam_setcred function call succeeds, which may allow attackers to gain root privileges by triggering error conditions within PAM modules, as demonstrated in certain configurations of the MIT pam_krb5 module. - CAN-2004-0093, CAN-2004-0094 : Denial-of-service attacks against the X server by clients using the GLX extension and Direct Rendering Infrastructure are possible due to unchecked client data (out-of-bounds array indexes [CAN-2004-0093] and integer signedness errors [CAN-2004-0094]). Exploitation of CAN-2004-0083, CAN-2004-0084, CAN-2004-0106, CAN-2004-0093 and CAN-2004-0094 would require a connection to the X server. By default, display managers in Debian start the X server with a configuration which only accepts local connections, but if the configuration is changed to allow remote connections, or X servers are started by other means, then these bugs could be exploited remotely. Since the X server usually runs with root privileges, these bugs could potentially be exploited to gain root privileges. No attack vector for CAN-2003-0690 is known at this time." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2004/dsa-443" ); script_set_attribute( attribute:"solution", value: "For the stable distribution (woody) these problems have been fixed in version 4.1.0-16woody3. We recommend that you update your xfree86 package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xfree86"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2004/02/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/02/19"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"lbxproxy", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"libdps-dev", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"libdps1", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"libdps1-dbg", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"libxaw6", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"libxaw6-dbg", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"libxaw6-dev", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"libxaw7", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"libxaw7-dbg", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"libxaw7-dev", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"proxymngr", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"twm", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"x-window-system", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"x-window-system-core", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xbase-clients", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xdm", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xfonts-100dpi", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xfonts-100dpi-transcoded", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xfonts-75dpi", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xfonts-75dpi-transcoded", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xfonts-base", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xfonts-base-transcoded", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xfonts-cyrillic", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xfonts-pex", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xfonts-scalable", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xfree86-common", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xfs", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xfwp", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xlib6g", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xlib6g-dev", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xlibmesa-dev", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xlibmesa3", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xlibmesa3-dbg", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xlibosmesa-dev", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xlibosmesa3", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xlibosmesa3-dbg", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xlibs", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xlibs-dbg", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xlibs-dev", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xlibs-pic", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xmh", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xnest", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xprt", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xserver-common", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xserver-xfree86", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xspecs", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xterm", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xutils", reference:"4.1.0-16woody3")) flag++; if (deb_check(release:"3.0", prefix:"xvfb", reference:"4.1.0-16woody3")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2004-152.NASL description Updated XFree86 packages that fix a minor denial of service vulnerability are now available. XFree86 is an implementation of the X Window System, providing the core graphical user interface and video drivers. Flaws in XFree86 4.1.0 allows local or remote attackers who are able to connect to the X server to cause a denial of service via an out-of-bounds array index or integer signedness error when using the GLX extension and Direct Rendering Infrastructure (DRI). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0093 and CVE-2004-0094 to these issues. These issues do not affect Red Hat Enterprise Linux 3. All users of XFree86 are advised to upgrade to these erratum packages, which contain a backported fix and are not vulnerable to these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 12483 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12483 title RHEL 2.1 : XFree86 (RHSA-2004:152) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2004:152. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(12483); script_version ("1.27"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2004-0093", "CVE-2004-0094"); script_xref(name:"RHSA", value:"2004:152"); script_name(english:"RHEL 2.1 : XFree86 (RHSA-2004:152)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated XFree86 packages that fix a minor denial of service vulnerability are now available. XFree86 is an implementation of the X Window System, providing the core graphical user interface and video drivers. Flaws in XFree86 4.1.0 allows local or remote attackers who are able to connect to the X server to cause a denial of service via an out-of-bounds array index or integer signedness error when using the GLX extension and Direct Rendering Infrastructure (DRI). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0093 and CVE-2004-0094 to these issues. These issues do not affect Red Hat Enterprise Linux 3. All users of XFree86 are advised to upgrade to these erratum packages, which contain a backported fix and are not vulnerable to these issues." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0093" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0094" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2004:152" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-100dpi-fonts"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-75dpi-fonts"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-ISO8859-15-100dpi-fonts"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-ISO8859-15-75dpi-fonts"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-ISO8859-2-100dpi-fonts"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-ISO8859-2-75dpi-fonts"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-ISO8859-9-100dpi-fonts"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-ISO8859-9-75dpi-fonts"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-Xnest"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-Xvfb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-cyrillic-fonts"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-twm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-xdm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-xf86cfg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-xfs"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/03/15"); script_set_attribute(attribute:"patch_publication_date", value:"2004/04/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2004:152"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-4.1.0-58.EL")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-100dpi-fonts-4.1.0-58.EL")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-75dpi-fonts-4.1.0-58.EL")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-ISO8859-15-100dpi-fonts-4.1.0-58.EL")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-ISO8859-15-75dpi-fonts-4.1.0-58.EL")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-ISO8859-2-100dpi-fonts-4.1.0-58.EL")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-ISO8859-2-75dpi-fonts-4.1.0-58.EL")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-ISO8859-9-100dpi-fonts-4.1.0-58.EL")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-ISO8859-9-75dpi-fonts-4.1.0-58.EL")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-Xnest-4.1.0-58.EL")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-Xvfb-4.1.0-58.EL")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-cyrillic-fonts-4.1.0-58.EL")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-devel-4.1.0-58.EL")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-doc-4.1.0-58.EL")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-libs-4.1.0-58.EL")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-tools-4.1.0-58.EL")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-twm-4.1.0-58.EL")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-xdm-4.1.0-58.EL")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-xf86cfg-4.1.0-58.EL")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-xfs-4.1.0-58.EL")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "XFree86 / XFree86-100dpi-fonts / XFree86-75dpi-fonts / etc"); } }
Redhat
advisories |
|
References
- ftp://patches.sgi.com/support/free/security/advisories/20040406-01-U
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000824
- http://www.debian.org/security/2004/dsa-443
- http://www.redhat.com/support/errata/RHSA-2004-152.html
- http://www.securityfocus.com/bid/9701
- https://exchange.xforce.ibmcloud.com/vulnerabilities/15273