CVE-2007-4990

Description

The swap_char2b function in X.Org X Font Server (xfs) before 1.0.5 allows context-dependent attackers to execute arbitrary code via (1) QueryXBitmaps and (2) QueryXExtents protocol requests with crafted size values that specify an arbitrary number of bytes to be swapped on the heap, which triggers heap corruption.

References

Link	Tags
http://www.novell.com/linux/security/advisories/2007_54_xorg.html	vendor advisory
http://www.securitytracker.com/id?1018763	vdb entry
http://secunia.com/advisories/28542	third party advisory
http://sunsolve.sun.com/search/document.do?assetkey=1-66-200642-1	vendor advisory
https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00352.html	vendor advisory
http://www.securityfocus.com/archive/1/481432/100/0/threaded	mailing list
http://bugs.freedesktop.org/show_bug.cgi?id=12299
http://secunia.com/advisories/28514	third party advisory
http://secunia.com/advisories/27052	third party advisory
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=602	third party advisory
http://secunia.com/advisories/27060	third party advisory
http://www.vupen.com/english/advisories/2008/0924/references	vdb entry
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01323725	vendor advisory
http://lists.freedesktop.org/archives/xorg-announce/2007-October/000416.html	mailing list
http://www.redhat.com/support/errata/RHSA-2008-0029.html	vendor advisory
http://secunia.com/advisories/28004	third party advisory
http://secunia.com/advisories/27240	third party advisory
https://issues.rpath.com/browse/RPL-1756
http://secunia.com/advisories/29420	third party advisory
http://secunia.com/advisories/27040	third party advisory
http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html	vendor advisory
http://secunia.com/advisories/27176	third party advisory
http://security.gentoo.org/glsa/glsa-200710-11.xml	vendor advisory
http://secunia.com/advisories/27228	third party advisory
http://www.vupen.com/english/advisories/2007/3467	vdb entry
http://www.redhat.com/support/errata/RHSA-2008-0030.html	vendor advisory
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103114-1	vendor advisory
http://www.vupen.com/english/advisories/2008/0149	vdb entry
http://www.mandriva.com/security/advisories?name=MDKSA-2007:210	vendor advisory
http://www.securityfocus.com/bid/25898	vdb entry
http://bugs.gentoo.org/show_bug.cgi?id=194606
http://www.vupen.com/english/advisories/2007/3338	vdb entry
http://secunia.com/advisories/27560	third party advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11599	signature vdb entry
http://docs.info.apple.com/article.html?artnum=307562
http://www.vupen.com/english/advisories/2007/3337	vdb entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/36920	vdb entry
http://secunia.com/advisories/28536	third party advisory

Frequently Asked Questions

What is the severity of CVE-2007-4990?: CVE-2007-4990 has been scored as a high severity vulnerability.
How to fix CVE-2007-4990?: To fix CVE-2007-4990, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2007-4990 being actively exploited in the wild?: It is possible that CVE-2007-4990 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~2% probability that this vulnerability will be exploited by malicious actors in the next 30 days.

Description

Category

CWE-189 – Numeric Errors

References

Frequently Asked Questions