Vulnerabilities > CVE-2006-3739 - Integer Overflow vulnerability in X.Org LibXfont CID Font File

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
x-org
xfree86-project
nessus

Summary

Integer overflow in the CIDAFM function in X.Org 6.8.2 and XFree86 X server allows local users to execute arbitrary code via crafted Adobe Font Metrics (AFM) files with a modified number of character metrics (StartCharMetrics), which leads to a heap-based buffer overflow.

Vulnerable Configurations

Part Description Count
Application
X.Org
1
Application
Xfree86_Project
1

Nessus

  • NASL familySolaris Local Security Checks
    NASL idSOLARIS10_X86_119060.NASL
    descriptionX11 6.6.2_x86: Xsun patch. Date this patch was last updated by Sun : Jun/15/17 This plugin has been deprecated and either replaced with individual 119060 patch-revision plugins, or deemed non-security related.
    last seen2019-02-21
    modified2018-07-30
    plugin id22985
    published2006-11-06
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=22985
    titleSolaris 10 (x86) : 119060-72 (deprecated)
    code
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # @DEPRECATED@
    #
    # Disabled on 2018/03/12. Deprecated and either replaced by
    # individual patch-revision plugins, or has been deemed a
    # non-security advisory.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(22985);
      script_version("1.54");
      script_cvs_date("Date: 2018/07/30 13:40:15");
    
      script_cve_id("CVE-2005-2495", "CVE-2005-3099", "CVE-2006-3467", "CVE-2006-3739", "CVE-2007-1667", "CVE-2007-4070", "CVE-2008-5684");
    
      script_name(english:"Solaris 10 (x86) : 119060-72 (deprecated)");
      script_summary(english:"Check for patch 119060-72");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"This plugin has been deprecated."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "X11 6.6.2_x86: Xsun patch.
    Date this patch was last updated by Sun : Jun/15/17
    
    This plugin has been deprecated and either replaced with individual
    119060 patch-revision plugins, or deemed non-security related."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://getupdates.oracle.com/readme/119060-72"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"n/a"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_cwe_id(189, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:sun:solaris");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/06/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/11/06");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
      script_family(english:"Solaris Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Solaris/showrev");
    
      exit(0);
    }
    
    exit(0, "This plugin has been deprecated. Consult specific patch-revision plugins for patch 119060 instead.");
    
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS10_X86_119060-70.NASL
    descriptionX11 6.6.2_x86: Xsun patch. Date this patch was last updated by Sun : Nov/12/15
    last seen2020-06-01
    modified2020-06-02
    plugin id107805
    published2018-03-12
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107805
    titleSolaris 10 (x86) : 119060-70
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text in this plugin was
    # extracted from the Oracle SunOS Patch Updates.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(107805);
      script_version("1.4");
      script_cvs_date("Date: 2020/01/08");
    
      script_cve_id("CVE-2005-2495", "CVE-2005-3099", "CVE-2006-3467", "CVE-2006-3739", "CVE-2007-1667", "CVE-2007-4070", "CVE-2008-5684");
    
      script_name(english:"Solaris 10 (x86) : 119060-70");
      script_summary(english:"Check for patch 119060-70");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote host is missing Sun Security Patch number 119060-70"
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "X11 6.6.2_x86: Xsun patch.
    Date this patch was last updated by Sun : Nov/12/15"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://getupdates.oracle.com/readme/119060-70"
      );
      script_set_attribute(attribute:"solution", value:"Install patch 119060-70 or higher");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2007-1667");
      script_cwe_id(189, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:solaris:10:119060");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:solaris:10:121869");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:solaris:10");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/09/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/11/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Solaris Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Solaris/showrev");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("solaris.inc");
    
    showrev = get_kb_item("Host/Solaris/showrev");
    if (empty_or_null(showrev)) audit(AUDIT_OS_NOT, "Solaris");
    os_ver = pregmatch(pattern:"Release: (\d+.(\d+))", string:showrev);
    if (empty_or_null(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Solaris");
    full_ver = os_ver[1];
    os_level = os_ver[2];
    if (full_ver != "5.10") audit(AUDIT_OS_NOT, "Solaris 10", "Solaris " + os_level);
    package_arch = pregmatch(pattern:"Application architecture: (\w+)", string:showrev);
    if (empty_or_null(package_arch)) audit(AUDIT_UNKNOWN_ARCH);
    package_arch = package_arch[1];
    if (package_arch != "i386") audit(AUDIT_ARCH_NOT, "i386", package_arch);
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    if (solaris_check_patch(release:"5.10_x86", arch:"i386", patch:"119060-70", obsoleted_by:"", package:"SUNWxorg-client-docs", version:"6.8.2.5.10.0110,REV=0.2005.06.21") < 0) flag++;
    if (solaris_check_patch(release:"5.10_x86", arch:"i386", patch:"119060-70", obsoleted_by:"", package:"SUNWxwacx", version:"6.6.2.7400,REV=0.2004.12.15") < 0) flag++;
    if (solaris_check_patch(release:"5.10_x86", arch:"i386", patch:"119060-70", obsoleted_by:"", package:"SUNWxwfnt", version:"6.6.2.7400,REV=0.2004.12.15") < 0) flag++;
    if (solaris_check_patch(release:"5.10_x86", arch:"i386", patch:"119060-70", obsoleted_by:"", package:"SUNWxwfs", version:"6.6.2.7400,REV=0.2004.12.15") < 0) flag++;
    if (solaris_check_patch(release:"5.10_x86", arch:"i386", patch:"119060-70", obsoleted_by:"", package:"SUNWxwice", version:"6.6.2.7400,REV=0.2004.12.15") < 0) flag++;
    if (solaris_check_patch(release:"5.10_x86", arch:"i386", patch:"119060-70", obsoleted_by:"", package:"SUNWxwinc", version:"6.6.2.7400,REV=0.2004.12.15") < 0) flag++;
    if (solaris_check_patch(release:"5.10_x86", arch:"i386", patch:"119060-70", obsoleted_by:"", package:"SUNWxwman", version:"6.6.2.7400,REV=0.2004.12.15") < 0) flag++;
    if (solaris_check_patch(release:"5.10_x86", arch:"i386", patch:"119060-70", obsoleted_by:"", package:"SUNWxwopt", version:"6.6.2.7400,REV=0.2004.12.15") < 0) flag++;
    if (solaris_check_patch(release:"5.10_x86", arch:"i386", patch:"119060-70", obsoleted_by:"", package:"SUNWxwplr", version:"6.6.2.7400,REV=0.2004.12.15") < 0) flag++;
    if (solaris_check_patch(release:"5.10_x86", arch:"i386", patch:"119060-70", obsoleted_by:"", package:"SUNWxwplt", version:"6.6.2.7400,REV=0.2004.12.15") < 0) flag++;
    if (solaris_check_patch(release:"5.10_x86", arch:"i386", patch:"119060-70", obsoleted_by:"", package:"SUNWxwpmn", version:"6.6.2.7400,REV=0.2004.12.15") < 0) flag++;
    if (solaris_check_patch(release:"5.10_x86", arch:"i386", patch:"119060-70", obsoleted_by:"", package:"SUNWxwrtl", version:"6.6.2.7400,REV=0.2004.12.15") < 0) flag++;
    if (solaris_check_patch(release:"5.10_x86", arch:"i386", patch:"119060-70", obsoleted_by:"", package:"SUNWxwsrv", version:"6.6.2.7400,REV=0.2004.12.15") < 0) flag++;
    if (solaris_check_patch(release:"5.10_x86", arch:"i386", patch:"119060-70", obsoleted_by:"", package:"SUNWxwxst", version:"6.6.2.7400,REV=0.2004.12.15") < 0) flag++;
    
    if (flag) {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : solaris_get_report()
      );
    } else {
      patch_fix = solaris_patch_fix_get();
      if (!empty_or_null(patch_fix)) audit(AUDIT_PATCH_INSTALLED, patch_fix, "Solaris 10");
      tested = solaris_pkg_tests_get();
      if (!empty_or_null(tested)) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      audit(AUDIT_PACKAGE_NOT_INSTALLED, "SUNWxorg-client-docs / SUNWxwacx / SUNWxwfnt / SUNWxwfs / SUNWxwice / etc");
    }
    
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS10_X86_119060_45.NASL
    descriptionX11 6.6.2_x86: Xsun patch. This patch addresses IAVT 2009-T-0001.
    last seen2020-06-01
    modified2020-06-02
    plugin id82537
    published2015-04-02
    reporterThis script is Copyright (C) 2015-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82537
    titleSolaris 10 (x86) : 119060-45
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text in this plugin was
    # extracted from the Oracle SunOS Patch Updates.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(82537);
      script_version("1.9");
      script_cvs_date("Date: 2019/10/25 13:36:24");
    
      script_cve_id(
        "CVE-2005-2495",
        "CVE-2005-3099",
        "CVE-2006-3467",
        "CVE-2006-3739",
        "CVE-2007-1667",
        "CVE-2007-4070",
        "CVE-2008-5684"
      );
      script_bugtraq_id(
        14807,
        18034,
        19974,
        23300,
        32807
      );
    
      script_name(english:"Solaris 10 (x86) : 119060-45");
      script_summary(english:"Checks for patch 119060-45");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote host is missing Sun security patch number 119060-45."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "X11 6.6.2_x86: Xsun patch.
    This patch addresses IAVT 2009-T-0001."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://getupdates.oracle.com/readme/119060-45"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"You should install this patch for your system to be up-to-date."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(189, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:sun:solaris");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/09/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2008/12/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/02");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2019 Tenable Network Security, Inc.");
      script_family(english:"Solaris Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Solaris/showrev");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("solaris.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    if (solaris_check_patch(release:"5.10_x86", arch:"i386", patch:"119060-45", obsoleted_by:"", package:"SUNWxwsrv", version:"6.6.2.7400,REV=0.2004.12.15") < 0) flag++;
    if (solaris_check_patch(release:"5.10_x86", arch:"i386", patch:"119060-45", obsoleted_by:"", package:"SUNWxwplr", version:"6.6.2.7400,REV=0.2004.12.15") < 0) flag++;
    if (solaris_check_patch(release:"5.10_x86", arch:"i386", patch:"119060-45", obsoleted_by:"", package:"SUNWxwrtl", version:"6.6.2.7400,REV=0.2004.12.15") < 0) flag++;
    if (solaris_check_patch(release:"5.10_x86", arch:"i386", patch:"119060-45", obsoleted_by:"", package:"SUNWxwice", version:"6.6.2.7400,REV=0.2004.12.15") < 0) flag++;
    if (solaris_check_patch(release:"5.10_x86", arch:"i386", patch:"119060-45", obsoleted_by:"", package:"SUNWxwfs", version:"6.6.2.7400,REV=0.2004.12.15") < 0) flag++;
    if (solaris_check_patch(release:"5.10_x86", arch:"i386", patch:"119060-45", obsoleted_by:"", package:"SUNWxwxst", version:"6.6.2.7400,REV=0.2004.12.15") < 0) flag++;
    if (solaris_check_patch(release:"5.10_x86", arch:"i386", patch:"119060-45", obsoleted_by:"", package:"SUNWxwinc", version:"6.6.2.7400,REV=0.2004.12.15") < 0) flag++;
    if (solaris_check_patch(release:"5.10_x86", arch:"i386", patch:"119060-45", obsoleted_by:"", package:"SUNWxwfnt", version:"6.6.2.7400,REV=0.2004.12.15") < 0) flag++;
    if (solaris_check_patch(release:"5.10_x86", arch:"i386", patch:"119060-45", obsoleted_by:"", package:"SUNWxwpmn", version:"6.6.2.7400,REV=0.2004.12.15") < 0) flag++;
    if (solaris_check_patch(release:"5.10_x86", arch:"i386", patch:"119060-45", obsoleted_by:"", package:"SUNWxorg-client-docs", version:"6.8.2.5.10.0110,REV=0.2005.06.21") < 0) flag++;
    if (solaris_check_patch(release:"5.10_x86", arch:"i386", patch:"119060-45", obsoleted_by:"", package:"SUNWxwplt", version:"6.6.2.7400,REV=0.2004.12.15") < 0) flag++;
    if (solaris_check_patch(release:"5.10_x86", arch:"i386", patch:"119060-45", obsoleted_by:"", package:"SUNWxwopt", version:"6.6.2.7400,REV=0.2004.12.15") < 0) flag++;
    if (solaris_check_patch(release:"5.10_x86", arch:"i386", patch:"119060-45", obsoleted_by:"", package:"SUNWxwacx", version:"6.6.2.7400,REV=0.2004.12.15") < 0) flag++;
    if (solaris_check_patch(release:"5.10_x86", arch:"i386", patch:"119060-45", obsoleted_by:"", package:"SUNWxwman", version:"6.6.2.7400,REV=0.2004.12.15") < 0) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:solaris_get_report());
      else security_hole(0);
      exit(0);
    }
    audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_XORG-X11-SERVER-2062.NASL
    descriptionThis update fixes an integer overflow vulnerability when rendering CID-keyed fonts. (CVE-2006-3739 / CVE-2006-3740)
    last seen2020-06-01
    modified2020-06-02
    plugin id29605
    published2007-12-13
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/29605
    titleSuSE 10 Security Update : xorg-x11-server (ZYPP Patch Number 2062)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The text description of this plugin is (C) Novell, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(29605);
      script_version ("1.13");
      script_cvs_date("Date: 2019/10/25 13:36:29");
    
      script_cve_id("CVE-2006-3739", "CVE-2006-3740");
    
      script_name(english:"SuSE 10 Security Update : xorg-x11-server (ZYPP Patch Number 2062)");
      script_summary(english:"Checks rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 10 host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update fixes an integer overflow vulnerability when rendering
    CID-keyed fonts. (CVE-2006-3739 / CVE-2006-3740)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2006-3739.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2006-3740.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 2062.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/09/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/12/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
    if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE.");
    if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages.");
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) exit(1, "Failed to determine the architecture type.");
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented.");
    
    
    flag = 0;
    if (rpm_check(release:"SLED10", sp:0, reference:"xorg-x11-server-6.9.0-50.24")) flag++;
    if (rpm_check(release:"SLES10", sp:0, reference:"xorg-x11-server-6.9.0-50.24")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else exit(0, "The host is not affected.");
    
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS10_119059-74.NASL
    descriptionX11 6.6.2: Xsun patch. Date this patch was last updated by Sun : Nov/04/19
    last seen2020-06-01
    modified2020-06-02
    plugin id130508
    published2019-11-05
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130508
    titleSolaris 10 (sparc) : 119059-74
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS10_X86_119060-64.NASL
    descriptionX11 6.6.2_x86: Xsun patch. Date this patch was last updated by Sun : Sep/12/13
    last seen2020-06-01
    modified2020-06-02
    plugin id107801
    published2018-03-12
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107801
    titleSolaris 10 (x86) : 119060-64
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS9_X86_124833.NASL
    descriptionX11 6.6.1_x86: font patch. Date this patch was last updated by Sun : May/03/07
    last seen2020-06-01
    modified2020-06-02
    plugin id24862
    published2007-03-18
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24862
    titleSolaris 9 (x86) : 124833-02
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200609-07.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200609-07 (LibXfont, monolithic X.org: Multiple integer overflows) Several integer overflows have been found in the CID font parser. Impact : A remote attacker could exploit this vulnerability by enticing a user to load a malicious font file resulting in the execution of arbitrary code with the permissions of the user running the X server which typically is the root user. A local user could exploit this vulnerability to gain elevated privileges. Workaround : Disable CID-encoded Type 1 fonts by removing the
    last seen2020-06-01
    modified2020-06-02
    plugin id22352
    published2006-09-15
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22352
    titleGLSA-200609-07 : LibXfont, monolithic X.org: Multiple integer overflows
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2006-164.NASL
    descriptionLocal exploitation of an integer overflow vulnerability in the
    last seen2020-06-01
    modified2020-06-02
    plugin id23908
    published2006-12-16
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/23908
    titleMandrake Linux Security Advisory : xorg-x11 (MDKSA-2006:164-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2006-0665.NASL
    descriptionUpdated X.org packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. X.org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. iDefense reported two integer overflow flaws in the way the X.org server processed CID font files. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the X.org server. (CVE-2006-3739, CVE-2006-3740) Users of X.org should upgrade to these updated packages, which contain a backported patch and is not vulnerable to this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id22346
    published2006-09-14
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22346
    titleRHEL 4 : xorg-x11 (RHSA-2006:0665)
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS10_119059-65.NASL
    descriptionX11 6.6.2: Xsun patch. Date this patch was last updated by Sun : Sep/12/13
    last seen2020-06-01
    modified2020-06-02
    plugin id107299
    published2018-03-12
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107299
    titleSolaris 10 (sparc) : 119059-65
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS10_119059-66.NASL
    descriptionX11 6.6.2: Xsun patch. Date this patch was last updated by Sun : Mar/15/14
    last seen2020-06-01
    modified2020-06-02
    plugin id107300
    published2018-03-12
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107300
    titleSolaris 10 (sparc) : 119059-66
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS10_119059-72.NASL
    descriptionX11 6.6.2: Xsun patch. Date this patch was last updated by Sun : Mar/09/17
    last seen2020-06-01
    modified2020-06-02
    plugin id107304
    published2018-03-12
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107304
    titleSolaris 10 (sparc) : 119059-72
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS10_X86_119060-73.NASL
    descriptionX11 6.6.2_x86: Xsun patch. Date this patch was last updated by Sun : Nov/04/19
    last seen2020-06-01
    modified2020-06-02
    plugin id130510
    published2019-11-05
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130510
    titleSolaris 10 (x86) : 119060-73
  • NASL familySuSE Local Security Checks
    NASL idSUSE_XORG-X11-SERVER-2056.NASL
    descriptionThis update fixes an integer overflow vulnerability when rendering CID-keyed fonts (CVE-2006-3739/CVE-2006-3740).
    last seen2020-06-01
    modified2020-06-02
    plugin id27494
    published2007-10-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/27494
    titleopenSUSE 10 Security Update : xorg-x11-server (xorg-x11-server-2056)
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS10_119059_46.NASL
    descriptionX11 6.6.2: Xsun patch. This patch addresses IAVT 2009-T-0001.
    last seen2020-06-01
    modified2020-06-02
    plugin id82536
    published2015-04-02
    reporterThis script is Copyright (C) 2015-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82536
    titleSolaris 10 (sparc) : 119059-46
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2006-259-01.NASL
    descriptionNew x11 (X.Org) packages are available for Slackware 10.2, and -current to fix security issues due to overflows in font parsing.
    last seen2020-06-01
    modified2020-06-02
    plugin id22420
    published2006-09-22
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22420
    titleSlackware 10.2 / current : x11 (SSA:2006-259-01)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2006-0666.NASL
    descriptionUpdated XFree86 packages that fix a security issue are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having important security impact by the Red Hat Security Response Team. XFree86 is an implementation of the X Window System, which provides the core functionality for the Linux graphical desktop. iDefense reported two integer overflow flaws in the way the XFree86 server processed CID font files. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the XFree86 server. (CVE-2006-3739, CVE-2006-3740) Users of XFree86 should upgrade to these updated packages, which contain a backported patch and is not vulnerable to this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id22347
    published2006-09-14
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22347
    titleRHEL 2.1 / 3 : XFree86 (RHSA-2006:0666)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-344-1.NASL
    descriptioniDefense security researchers found several integer overflows in X.org
    last seen2020-06-01
    modified2020-06-02
    plugin id27923
    published2007-11-10
    reporterUbuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/27923
    titleUbuntu 5.04 / 5.10 / 6.06 LTS : libxfont, xorg vulnerabilities (USN-344-1)
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS10_X86_119060-69.NASL
    descriptionX11 6.6.2_x86: Xsun patch. Date this patch was last updated by Sun : Jul/13/15
    last seen2020-06-01
    modified2020-06-02
    plugin id107804
    published2018-03-12
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107804
    titleSolaris 10 (x86) : 119060-69
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2006-0665.NASL
    descriptionUpdated X.org packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. X.org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. iDefense reported two integer overflow flaws in the way the X.org server processed CID font files. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the X.org server. (CVE-2006-3739, CVE-2006-3740) Users of X.org should upgrade to these updated packages, which contain a backported patch and is not vulnerable to this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id22339
    published2006-09-14
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22339
    titleCentOS 4 : xorg-x11 (CESA-2006:0665)
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS10_X86_119060-68.NASL
    descriptionX11 6.6.2_x86: Xsun patch. Date this patch was last updated by Sun : Nov/15/14
    last seen2020-06-01
    modified2020-06-02
    plugin id107803
    published2018-03-12
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107803
    titleSolaris 10 (x86) : 119060-68
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS10_X86_119060-65.NASL
    descriptionX11 6.6.2_x86: Xsun patch. Date this patch was last updated by Sun : Mar/15/14
    last seen2020-06-01
    modified2020-06-02
    plugin id107802
    published2018-03-12
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107802
    titleSolaris 10 (x86) : 119060-65
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2006-0665.NASL
    descriptionFrom Red Hat Security Advisory 2006:0665 : Updated X.org packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. X.org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. iDefense reported two integer overflow flaws in the way the X.org server processed CID font files. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the X.org server. (CVE-2006-3739, CVE-2006-3740) Users of X.org should upgrade to these updated packages, which contain a backported patch and is not vulnerable to this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id67407
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67407
    titleOracle Linux 4 : xorg-x11 (ELSA-2006-0665)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1193.NASL
    descriptionSeveral vulnerabilities have been discovered in the X Window System, which may lead to the execution of arbitrary code or denial of service. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-3467 Chris Evan discovered an integer overflow in the code to handle PCF fonts, which might lead to denial of service if a malformed font is opened. - CVE-2006-3739 It was discovered that an integer overflow in the code to handle Adobe Font Metrics might lead to the execution of arbitrary code. - CVE-2006-3740 It was discovered that an integer overflow in the code to handle CMap and CIDFont font data might lead to the execution of arbitrary code. - CVE-2006-4447 The XFree86 initialization code performs insufficient checking of the return value of setuid() when dropping privileges, which might lead to local privilege escalation.
    last seen2020-06-01
    modified2020-06-02
    plugin id22734
    published2006-10-14
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22734
    titleDebian DSA-1193-1 : xfree86 - several vulnerabilities
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS10_119059.NASL
    descriptionX11 6.6.2: Xsun patch. Date this patch was last updated by Sun : Jun/15/17 This plugin has been deprecated and either replaced with individual 119059 patch-revision plugins, or deemed non-security related.
    last seen2019-02-21
    modified2018-07-30
    plugin id22952
    published2006-11-06
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=22952
    titleSolaris 10 (sparc) : 119059-73 (deprecated)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2006-0666.NASL
    descriptionUpdated XFree86 packages that fix a security issue are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having important security impact by the Red Hat Security Response Team. XFree86 is an implementation of the X Window System, which provides the core functionality for the Linux graphical desktop. iDefense reported two integer overflow flaws in the way the XFree86 server processed CID font files. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the XFree86 server. (CVE-2006-3739, CVE-2006-3740) Users of XFree86 should upgrade to these updated packages, which contain a backported patch and is not vulnerable to this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id22340
    published2006-09-14
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22340
    titleCentOS 3 : XFree86 (CESA-2006:0666)
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS10_X86_119060-71.NASL
    descriptionX11 6.6.2_x86: Xsun patch. Date this patch was last updated by Sun : Mar/09/17
    last seen2020-06-01
    modified2020-06-02
    plugin id107806
    published2018-03-12
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107806
    titleSolaris 10 (x86) : 119060-71
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS10_119059-69.NASL
    descriptionX11 6.6.2: Xsun patch. Date this patch was last updated by Sun : Nov/15/14
    last seen2020-06-01
    modified2020-06-02
    plugin id107301
    published2018-03-12
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107301
    titleSolaris 10 (sparc) : 119059-69
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS10_119059-71.NASL
    descriptionX11 6.6.2: Xsun patch. Date this patch was last updated by Sun : Nov/12/15
    last seen2020-06-01
    modified2020-06-02
    plugin id107303
    published2018-03-12
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107303
    titleSolaris 10 (sparc) : 119059-71
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS10_119059-70.NASL
    descriptionX11 6.6.2: Xsun patch. Date this patch was last updated by Sun : Jul/13/15
    last seen2020-06-01
    modified2020-06-02
    plugin id107302
    published2018-03-12
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107302
    titleSolaris 10 (sparc) : 119059-70

Oval

accepted2013-04-29T04:04:27.296-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
descriptionInteger overflow in the CIDAFM function in X.Org 6.8.2 and XFree86 X server allows local users to execute arbitrary code via crafted Adobe Font Metrics (AFM) files with a modified number of character metrics (StartCharMetrics), which leads to a heap-based buffer overflow.
familyunix
idoval:org.mitre.oval:def:10305
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleInteger overflow in the CIDAFM function in X.Org 6.8.2 and XFree86 X server allows local users to execute arbitrary code via crafted Adobe Font Metrics (AFM) files with a modified number of character metrics (StartCharMetrics), which leads to a heap-based buffer overflow.
version26

Redhat

advisories
  • rhsa
    idRHSA-2006:0665
  • rhsa
    idRHSA-2006:0666
rpms
  • xorg-x11-0:6.8.2-1.EL.13.37.2
  • xorg-x11-Mesa-libGL-0:6.8.2-1.EL.13.37.2
  • xorg-x11-Mesa-libGLU-0:6.8.2-1.EL.13.37.2
  • xorg-x11-Xdmx-0:6.8.2-1.EL.13.37.2
  • xorg-x11-Xnest-0:6.8.2-1.EL.13.37.2
  • xorg-x11-Xvfb-0:6.8.2-1.EL.13.37.2
  • xorg-x11-deprecated-libs-0:6.8.2-1.EL.13.37.2
  • xorg-x11-deprecated-libs-devel-0:6.8.2-1.EL.13.37.2
  • xorg-x11-devel-0:6.8.2-1.EL.13.37.2
  • xorg-x11-doc-0:6.8.2-1.EL.13.37.2
  • xorg-x11-font-utils-0:6.8.2-1.EL.13.37.2
  • xorg-x11-libs-0:6.8.2-1.EL.13.37.2
  • xorg-x11-sdk-0:6.8.2-1.EL.13.37.2
  • xorg-x11-tools-0:6.8.2-1.EL.13.37.2
  • xorg-x11-twm-0:6.8.2-1.EL.13.37.2
  • xorg-x11-xauth-0:6.8.2-1.EL.13.37.2
  • xorg-x11-xdm-0:6.8.2-1.EL.13.37.2
  • xorg-x11-xfs-0:6.8.2-1.EL.13.37.2
  • XFree86-0:4.3.0-113.EL
  • XFree86-100dpi-fonts-0:4.3.0-113.EL
  • XFree86-75dpi-fonts-0:4.3.0-113.EL
  • XFree86-ISO8859-14-100dpi-fonts-0:4.3.0-113.EL
  • XFree86-ISO8859-14-75dpi-fonts-0:4.3.0-113.EL
  • XFree86-ISO8859-15-100dpi-fonts-0:4.3.0-113.EL
  • XFree86-ISO8859-15-75dpi-fonts-0:4.3.0-113.EL
  • XFree86-ISO8859-2-100dpi-fonts-0:4.3.0-113.EL
  • XFree86-ISO8859-2-75dpi-fonts-0:4.3.0-113.EL
  • XFree86-ISO8859-9-100dpi-fonts-0:4.3.0-113.EL
  • XFree86-ISO8859-9-75dpi-fonts-0:4.3.0-113.EL
  • XFree86-Mesa-libGL-0:4.3.0-113.EL
  • XFree86-Mesa-libGLU-0:4.3.0-113.EL
  • XFree86-Xnest-0:4.3.0-113.EL
  • XFree86-Xvfb-0:4.3.0-113.EL
  • XFree86-base-fonts-0:4.3.0-113.EL
  • XFree86-cyrillic-fonts-0:4.3.0-113.EL
  • XFree86-devel-0:4.3.0-113.EL
  • XFree86-doc-0:4.3.0-113.EL
  • XFree86-font-utils-0:4.3.0-113.EL
  • XFree86-libs-0:4.3.0-113.EL
  • XFree86-libs-data-0:4.3.0-113.EL
  • XFree86-sdk-0:4.3.0-113.EL
  • XFree86-syriac-fonts-0:4.3.0-113.EL
  • XFree86-tools-0:4.3.0-113.EL
  • XFree86-truetype-fonts-0:4.3.0-113.EL
  • XFree86-twm-0:4.3.0-113.EL
  • XFree86-xauth-0:4.3.0-113.EL
  • XFree86-xdm-0:4.3.0-113.EL
  • XFree86-xfs-0:4.3.0-113.EL

References