Vulnerabilities > CVE-2006-3740 - Integer Overflow vulnerability in X.Org LibXfont CID Font File
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Integer overflow in the scan_cidfont function in X.Org 6.8.2 and XFree86 X server allows local users to execute arbitrary code via crafted (1) CMap and (2) CIDFont font data with modified item counts in the (a) begincodespacerange, (b) cidrange, and (c) notdefrange sections.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 | |
| Application | 1 |
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_XORG-X11-SERVER-2062.NASL description This update fixes an integer overflow vulnerability when rendering CID-keyed fonts. (CVE-2006-3739 / CVE-2006-3740) last seen 2020-06-01 modified 2020-06-02 plugin id 29605 published 2007-12-13 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29605 title SuSE 10 Security Update : xorg-x11-server (ZYPP Patch Number 2062) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(29605); script_version ("1.13"); script_cvs_date("Date: 2019/10/25 13:36:29"); script_cve_id("CVE-2006-3739", "CVE-2006-3740"); script_name(english:"SuSE 10 Security Update : xorg-x11-server (ZYPP Patch Number 2062)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 10 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "This update fixes an integer overflow vulnerability when rendering CID-keyed fonts. (CVE-2006-3739 / CVE-2006-3740)" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2006-3739.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2006-3740.html" ); script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 2062."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2006/09/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/12/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SLED10", sp:0, reference:"xorg-x11-server-6.9.0-50.24")) flag++; if (rpm_check(release:"SLES10", sp:0, reference:"xorg-x11-server-6.9.0-50.24")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else exit(0, "The host is not affected.");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200609-07.NASL description The remote host is affected by the vulnerability described in GLSA-200609-07 (LibXfont, monolithic X.org: Multiple integer overflows) Several integer overflows have been found in the CID font parser. Impact : A remote attacker could exploit this vulnerability by enticing a user to load a malicious font file resulting in the execution of arbitrary code with the permissions of the user running the X server which typically is the root user. A local user could exploit this vulnerability to gain elevated privileges. Workaround : Disable CID-encoded Type 1 fonts by removing the last seen 2020-06-01 modified 2020-06-02 plugin id 22352 published 2006-09-15 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22352 title GLSA-200609-07 : LibXfont, monolithic X.org: Multiple integer overflows code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200609-07. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(22352); script_version("1.18"); script_cvs_date("Date: 2019/08/02 13:32:43"); script_cve_id("CVE-2006-3739", "CVE-2006-3740"); script_bugtraq_id(19974); script_xref(name:"GLSA", value:"200609-07"); script_name(english:"GLSA-200609-07 : LibXfont, monolithic X.org: Multiple integer overflows"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200609-07 (LibXfont, monolithic X.org: Multiple integer overflows) Several integer overflows have been found in the CID font parser. Impact : A remote attacker could exploit this vulnerability by enticing a user to load a malicious font file resulting in the execution of arbitrary code with the permissions of the user running the X server which typically is the root user. A local user could exploit this vulnerability to gain elevated privileges. Workaround : Disable CID-encoded Type 1 fonts by removing the 'type1' module and replacing it with the 'freetype' module in xorg.conf." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200609-07" ); script_set_attribute( attribute:"solution", value: "All libXfont users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=x11-libs/libXfont-1.2.1' All monolithic X.org users are advised to migrate to modular X.org." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:libXfont"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:xorg-x11"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2006/09/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/09/15"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/09/12"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"x11-libs/libXfont", unaffected:make_list("ge 1.2.1"), vulnerable:make_list("lt 1.2.1"))) flag++; if (qpkg_check(package:"x11-base/xorg-x11", unaffected:make_list("ge 7.0"), vulnerable:make_list("lt 7.0"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "LibXfont / monolithic X.org"); }NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-164.NASL description Local exploitation of an integer overflow vulnerability in the last seen 2020-06-01 modified 2020-06-02 plugin id 23908 published 2006-12-16 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/23908 title Mandrake Linux Security Advisory : xorg-x11 (MDKSA-2006:164-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0665.NASL description Updated X.org packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. X.org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. iDefense reported two integer overflow flaws in the way the X.org server processed CID font files. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the X.org server. (CVE-2006-3739, CVE-2006-3740) Users of X.org should upgrade to these updated packages, which contain a backported patch and is not vulnerable to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 22346 published 2006-09-14 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22346 title RHEL 4 : xorg-x11 (RHSA-2006:0665) NASL family SuSE Local Security Checks NASL id SUSE_XORG-X11-SERVER-2056.NASL description This update fixes an integer overflow vulnerability when rendering CID-keyed fonts (CVE-2006-3739/CVE-2006-3740). last seen 2020-06-01 modified 2020-06-02 plugin id 27494 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27494 title openSUSE 10 Security Update : xorg-x11-server (xorg-x11-server-2056) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2006-259-01.NASL description New x11 (X.Org) packages are available for Slackware 10.2, and -current to fix security issues due to overflows in font parsing. last seen 2020-06-01 modified 2020-06-02 plugin id 22420 published 2006-09-22 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22420 title Slackware 10.2 / current : x11 (SSA:2006-259-01) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0666.NASL description Updated XFree86 packages that fix a security issue are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having important security impact by the Red Hat Security Response Team. XFree86 is an implementation of the X Window System, which provides the core functionality for the Linux graphical desktop. iDefense reported two integer overflow flaws in the way the XFree86 server processed CID font files. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the XFree86 server. (CVE-2006-3739, CVE-2006-3740) Users of XFree86 should upgrade to these updated packages, which contain a backported patch and is not vulnerable to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 22347 published 2006-09-14 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22347 title RHEL 2.1 / 3 : XFree86 (RHSA-2006:0666) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-344-1.NASL description iDefense security researchers found several integer overflows in X.org last seen 2020-06-01 modified 2020-06-02 plugin id 27923 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27923 title Ubuntu 5.04 / 5.10 / 6.06 LTS : libxfont, xorg vulnerabilities (USN-344-1) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2006-0665.NASL description Updated X.org packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. X.org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. iDefense reported two integer overflow flaws in the way the X.org server processed CID font files. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the X.org server. (CVE-2006-3739, CVE-2006-3740) Users of X.org should upgrade to these updated packages, which contain a backported patch and is not vulnerable to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 22339 published 2006-09-14 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22339 title CentOS 4 : xorg-x11 (CESA-2006:0665) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2006-0665.NASL description From Red Hat Security Advisory 2006:0665 : Updated X.org packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. X.org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. iDefense reported two integer overflow flaws in the way the X.org server processed CID font files. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the X.org server. (CVE-2006-3739, CVE-2006-3740) Users of X.org should upgrade to these updated packages, which contain a backported patch and is not vulnerable to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 67407 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67407 title Oracle Linux 4 : xorg-x11 (ELSA-2006-0665) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1193.NASL description Several vulnerabilities have been discovered in the X Window System, which may lead to the execution of arbitrary code or denial of service. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-3467 Chris Evan discovered an integer overflow in the code to handle PCF fonts, which might lead to denial of service if a malformed font is opened. - CVE-2006-3739 It was discovered that an integer overflow in the code to handle Adobe Font Metrics might lead to the execution of arbitrary code. - CVE-2006-3740 It was discovered that an integer overflow in the code to handle CMap and CIDFont font data might lead to the execution of arbitrary code. - CVE-2006-4447 The XFree86 initialization code performs insufficient checking of the return value of setuid() when dropping privileges, which might lead to local privilege escalation. last seen 2020-06-01 modified 2020-06-02 plugin id 22734 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22734 title Debian DSA-1193-1 : xfree86 - several vulnerabilities NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2006-0666.NASL description Updated XFree86 packages that fix a security issue are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having important security impact by the Red Hat Security Response Team. XFree86 is an implementation of the X Window System, which provides the core functionality for the Linux graphical desktop. iDefense reported two integer overflow flaws in the way the XFree86 server processed CID font files. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the XFree86 server. (CVE-2006-3739, CVE-2006-3740) Users of XFree86 should upgrade to these updated packages, which contain a backported patch and is not vulnerable to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 22340 published 2006-09-14 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22340 title CentOS 3 : XFree86 (CESA-2006:0666)
Oval
| accepted | 2013-04-29T04:19:31.133-04:00 | ||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||
| contributors |
| ||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||
| description | Integer overflow in the scan_cidfont function in X.Org 6.8.2 and XFree86 X server allows local users to execute arbitrary code via crafted (1) CMap and (2) CIDFont font data with modified item counts in the (a) begincodespacerange, (b) cidrange, and (c) notdefrange sections. | ||||||||||||||||||||
| family | unix | ||||||||||||||||||||
| id | oval:org.mitre.oval:def:9454 | ||||||||||||||||||||
| status | accepted | ||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||
| title | Integer overflow in the scan_cidfont function in X.Org 6.8.2 and XFree86 X server allows local users to execute arbitrary code via crafted (1) CMap and (2) CIDFont font data with modified item counts in the (a) begincodespacerange, (b) cidrange, and (c) notdefrange sections. | ||||||||||||||||||||
| version | 26 |
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- http://secunia.com/advisories/21864
- http://secunia.com/advisories/21889
- http://secunia.com/advisories/21890
- http://secunia.com/advisories/21894
- http://secunia.com/advisories/21900
- http://secunia.com/advisories/21904
- http://secunia.com/advisories/21908
- http://secunia.com/advisories/21924
- http://secunia.com/advisories/22080
- http://secunia.com/advisories/22141
- http://secunia.com/advisories/22332
- http://secunia.com/advisories/22560
- http://secunia.com/advisories/23033
- http://secunia.com/advisories/23899
- http://secunia.com/advisories/23907
- http://secunia.com/advisories/24636
- http://security.gentoo.org/glsa/glsa-200609-07.xml
- http://securitytracker.com/id?1016828
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-102780-1
- http://support.avaya.com/elmodocs2/security/ASA-2006-190.htm
- http://support.avaya.com/elmodocs2/security/ASA-2006-191.htm
- http://www.debian.org/security/2006/dsa-1193
- http://www.idefense.com/intelligence/vulnerabilities/display.php?id=411
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:164
- http://www.novell.com/linux/security/advisories/2006_23_sr.html
- http://www.redhat.com/support/errata/RHSA-2006-0665.html
- http://www.redhat.com/support/errata/RHSA-2006-0666.html
- http://www.securityfocus.com/archive/1/445812/100/0/threaded
- http://www.securityfocus.com/archive/1/464268/100/0/threaded
- http://www.securityfocus.com/bid/19974
- http://www.ubuntu.com/usn/usn-344-1
- http://www.vmware.com/support/esx25/doc/esx-254-200702-patch.html
- http://www.vupen.com/english/advisories/2006/3581
- http://www.vupen.com/english/advisories/2006/3582
- http://www.vupen.com/english/advisories/2007/0322
- http://www.vupen.com/english/advisories/2007/1171
- https://exchange.xforce.ibmcloud.com/vulnerabilities/28890
- https://issues.rpath.com/browse/RPL-614
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9454