[Japanese]
|
JVNDB-2008-001043
|
X.Org Foundation X server buffer overflow vulnerability
|
X server provided by the X.Org Foundation contains a buffer overflow vulnerability.
The X.Org Foundation provides an open source implementation of the X Window System. The X server of this implementation contains a vulnerability in the handling of Portable Compiled Font (PCF) format fonts that can be exploited to cause a buffer overflow.
X.Org Foundation released the X.Org security advisory on January 17, 2008, and CERT/CC released VU#203220 on March 19, 2008 regarding this vulnerability issue.
Takuya Shiozaki of CODE blog (codeblog.org) reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.
|
CVSS V2 Severity: Base Metrics 7.4 (High) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: Single Instance
- Confidentiality Impact: Complete
- Integrity Impact: Complete
- Availability Impact: Complete
|
|
Canonical
- Ubuntu 6.06-lts
- Ubuntu 6.10
- Ubuntu 7.04
- Ubuntu 7.10
Fedora Project
Gentoo Foundation, Inc.
- Gentoo Linux x11-base/xorg-server 1.3.0.0-r5
- Gentoo Linux x11-libs/libXfont 1.3.1-r1
IBM Corporation
- IBM AIX 5.2
- IBM AIX 5.3
- IBM AIX 6.1
Mandriva, Inc.
- Mandriva Linux XFree86 CS3.0
- Mandriva Linux xorg-x11 CS4.0
OpenBSD
openSUSE project
- openSUSE 10.2
- openSUSE 10.3
SUSE
- Novell Linux Desktop 9
- Novell Linux POS 9
- Open Enterprise Server
- SLE SDK 10
- SUSE LINUX 10.1
- SUSE Linux Enterprise Desktop 10
- SUSE Linux Enterprise Server 10
- SUSE Linux Enterprise Server 8
- SUSE SLES 9
X.Org Foundation
- X.Org X11 1.4 and earlier
XFree86 Project
- XFree86 4.7.99.14 and earlier
Apple Inc.
- Apple Mac OS X v10.4.11
- Apple Mac OS X v10.5.2
- Apple Mac OS X Server v10.4.11
- Apple Mac OS X Server v10.5.2
Cybertrust Japan Co., Ltd.
- Asianux Server 3 (x86)
- Asianux Server 3 (x86-64)
- Asianux Server 2.0
- Asianux Server 2.1
- Asianux Server 4.0
- Asianux Server 4.0 (x86-64)
- Asianux Server 3.0
- Asianux Server 3.0 (x86-64)
Sun Microsystems, Inc.
- Sun Solaris 10 (sparc)
- Sun Solaris 10 (x86)
- Sun Solaris 8 (sparc)
- Sun Solaris 8 (x86)
- Sun Solaris 9 (sparc)
- Sun Solaris 9 (x86)
Hewlett-Packard Development Company,L.P
- HP-UX 11.11
- HP-UX 11.23
- HP-UX 11.31
Red Hat, Inc.
- Red Hat Enterprise Linux 5 (server)
- Red Hat Enterprise Linux 2.1 (as)
- Red Hat Enterprise Linux 3 (as)
- Red Hat Enterprise Linux 4 (as)
- Red Hat Enterprise Linux 2.1 (es)
- Red Hat Enterprise Linux 3 (es)
- Red Hat Enterprise Linux 4 (es)
- Red Hat Enterprise Linux 2.1 (ws)
- Red Hat Enterprise Linux 3 (ws)
- Red Hat Enterprise Linux 4 (ws)
- Red Hat Enterprise Linux Desktop 3.0
- Red Hat Enterprise Linux Desktop 4.0
- Red Hat Enterprise Linux Desktop 5.0 (client)
- Red Hat Linux Advanced Workstation 2.1
- RHEL Desktop Workstation 5 (client)
FUJITSU
|
|
An attacker with an established, authenticated connection to the X server could execute arbitrary code with the privilege of X server process or cause the server to crash.
|
[Update the Software]
Apply the latest updates provided by the vendors.
|
Canonical
Fedora Project
Gentoo Foundation, Inc.
IBM Corporation
- IBM Support Document : 4136
Mandriva, Inc.
openSUSE project
SUSE
X.Org Foundation
XFree86 Project
Apple Inc.
Cybertrust Japan Co., Ltd.
- Asianux Technical Support Network : libXfont-1.2.2-1.0.3AXS3 (Japanese)
- MIRACLE LINUX Update Information : 1209 (Japanese)
- MIRACLE LINUX Update Information : 1230 (Japanese)
- MIRACLE LINUX Update Information : 1347 (Japanese)
Sun Microsystems, Inc.
- Sun Alert Notification : 103192
Hewlett-Packard Development Company,L.P
Red Hat, Inc.
FUJITSU
|
- Buffer Errors(CWE-119) [NVD Evaluation]
|
- CVE-2008-0006
|
- JVN : JVN#88935101
- JVN Status Tracking Notes : TRTA08-079A
- National Vulnerability Database (NVD) : CVE-2008-0006
- IPA SECURITY ALERTS : Security Alert for X.Org Foundation X Server Vulnerability
- US-CERT Cyber Security Alerts : SA08-079A
- US-CERT Vulnerability Note : VU#203220
- US-CERT Technical Cyber Security Alert : TA08-079A
- Secunia Advisory : SA28532
- SecurityFocus : 27352
- SecurityTracker : 1019232
- FrSIRT Advisories : FrSIRT/ADV-2008-0179
- JVN iPedia (Japanese) : JVNDB-2008-001043
|
- [2008/06/13]
Web page published
[2008/07/11]
Affected Products : Added FUJITSU. (JVN#88935101).
Vendor Information : FUJITSU. (JVN#88935101).
[2008/11/21]
Affected Products : Added MIRACLE LINUX CORPORATION (1347).
Affected Products : Added Hewlett-Packard Development Company, L.P (HPSBUX02381).
Vendor Information : Added MIRACLE LINUX CORPORATION (1347).
Vendor Information : Added Hewlett-Packard Development Company, L.P (HPSBUX02381).
|