GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Tue May 08, 2007 4:26 pm Post subject: [ GLSA 200705-10 ] LibXfont, TightVNC: Multiple vulnerabilit |
 |
|
Gentoo Linux Security Advisory
Title: LibXfont, TightVNC: Multiple vulnerabilities (GLSA 200705-10)
Severity: high
Exploitable: local
Date: May 08, 2007
Bug(s): #172575, #174200
ID: 200705-10
Synopsis
Multiple vulnerabilities have been reported in libXfont and TightVNC, allowing for the execution of arbitrary code with root privileges.
Background
LibXfont is the X.Org font library. TightVNC is a VNC client/server for X displays.
Affected Packages
Package: net-misc/tightvnc
Vulnerable: < 1.2.9-r4
Unaffected: >= 1.2.9-r4
Architectures: All supported architectures
Package: x11-libs/libXfont
Vulnerable: < 1.2.7-r1
Unaffected: >= 1.2.7-r1
Architectures: All supported architectures
Description
The libXfont code is prone to several integer overflows, in functions ProcXCMiscGetXIDList(), bdfReadCharacters() and FontFileInitTable(). TightVNC contains a local copy of this code and is also affected.
Impact
A local attacker could use a specially crafted BDF Font to gain root privileges on the vulnerable host.
Workaround
There is no known workaround at this time.
Resolution
All libXfont users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=x11-libs/libXfont-1.2.7-r1" |
All TightVNC users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/tightvnc-1.2.9-r4" |
References
CVE-2007-1003
CVE-2007-1351
CVE-2007-1352 |
|
News & Announcements
