Lucene search

K
gentooGentoo FoundationGLSA-200705-10
HistoryMay 08, 2007 - 12:00 a.m.

LibXfont, TightVNC: Multiple vulnerabilities

2007-05-0800:00:00
Gentoo Foundation
security.gentoo.org
26

CVSS2

9

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

EPSS

0.05

Percentile

92.9%

Background

LibXfont is the X.Org font library. TightVNC is a VNC client/server for X displays.

Description

The libXfont code is prone to several integer overflows, in functions ProcXCMiscGetXIDList(), bdfReadCharacters() and FontFileInitTable(). TightVNC contains a local copy of this code and is also affected.

Impact

A local attacker could use a specially crafted BDF Font to gain root privileges on the vulnerable host.

Workaround

There is no known workaround at this time.

Resolution

All libXfont users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=x11-libs/libXfont-1.2.7-r1"

All TightVNC users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-misc/tightvnc-1.2.9-r4"
OSVersionArchitecturePackageVersionFilename
Gentooanyallnet-misc/tightvnc< 1.2.9-r4UNKNOWN
Gentooanyallx11-libs/libxfont< 1.2.7-r1UNKNOWN

CVSS2

9

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

EPSS

0.05

Percentile

92.9%