Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
(IBM Issues Fix) X Font Server Overflows in QueryXBitmaps and QueryXExtents Requests Let Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1018873 |
|
SecurityTracker URL: http://securitytracker.com/id/1018873
|
|
CVE Reference:
CVE-2007-4568, CVE-2007-4990
(Links to External Site)
|
Date: Oct 31 2007
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): XFS 1.0.4 and prior versions
|
Description:
A vulnerability was reported in X.org's X Font Server. A remote user can execute arbitrary code on the target system.
A remote user can send specially crafted data to trigger a buffer overflow and execute arbitrary code on the target system. The code will run with the privileges of the target X Font Server.
Specially crafted QueryXBitmaps and QueryXExtents protocol requests can trigger an integer overflow.
Specially crafted QueryXBitmaps and QueryXExtents protocol requests can trigger a heap overflow.
On some systems, this vulnerability cannot be exploited remotely, depending on whether the X Font Server listens to a network port or not.
The vendor was notified on September 5, 2007.
Sean Larsson of VeriSign iDefense Labs discovered these vulnerabilities.
|
Impact:
A remote user can execute arbitrary code on the target system.
|
Solution:
IBM has developed a fix for AIX.
For 5.2.0: IZ06001
For 5.3.0: IZ06648
The IBM advisory is available at:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3989
|
Vendor URL: www.x.org/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
UNIX (AIX)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 30 Oct 2007 17:07:29 -0500
Subject: IBM AIX
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
IBM SECURITY ADVISORY
First Issued: Mon Oct 29 12:33:35 CDT 2007
===============================================================================
VULNERABILITY SUMMARY
VULNERABILITY: AIX xfs heap vulnerabilities
PLATFORMS: AIX 5.2, 5.3
SOLUTION: Apply the APAR, interim fix or workaround as
described below.
THREAT: A remote attacker may run arbitrary code with root
privileges.
CERT VU Number: n/a
CVE Number: CVE-2007-4568 and CVE-2007-4990
===============================================================================
DETAILED INFORMATION
I. OVERVIEW
xfs is the AIXwindows font server. It supplies fonts to AIXwindows
display servers. The primary fileset for the AIX font server is
'X11.fnt.fontServer'. The xfs command provided by this fileset
contains two heap vulnerabilities.
II. DESCRIPTION
A heap vulnerability exists in the 'X11.fnt.fontServer'
fileset command listed below. A remote attacker may execute
arbitrary code with root privileges because the service runs with
root privileges.
For more details please visit:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4568
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4990
The following 'X11.fnt.fontServer' command is vulnerable:
/usr/lpp/X11/bin/xfs
III. IMPACT
The successful exploitation of this vulnerability allows a
non-privileged user to execute code with root privileges.
IV. PLATFORM VULNERABILITY ASSESSMENT
To determine if your system is vulnerable, run the following
command:
# lslpp -l X11.fnt.fontServer
The following fileset levels are vulnerable:
AIX Fileset AIX Level Lower Level Upper Level
----------------------------------------------------------------
X11.fnt.fontServer 5.2.0 5.2.0.0 5.2.0.105
X11.fnt.fontServer 5.3.0 5.3.0.0 5.3.0.60
NOTE: IBM only supports the latest two releases (AIX 5.2 and 5.3)
and the latest three Technology Levels (AIX 5.2 TL08, TL09, TL10
and AIX 5.3 TL04, TL05, TL06). Affected customers are urged to
upgrade to the latest applicable Technology Level and Service
Pack.
V. SOLUTIONS
A. APARS
IBM provides the following fixes:
AIX Level APAR number Availability
--------------------------------------------------------------------
5.2.0 IZ06001 10/31/2007
5.3.0 IZ06648 11/27/2007
Subscribe to the APARs here:
http://www.ibm.com/support/docview.wss?uid=isg1IZ06001
http://www.ibm.com/support/docview.wss?uid=isg1IZ06648
By subscribing, you will receive periodic email alerting you
to the status of the APAR, and a link to download the fix once
it becomes available.
AIX Version 5 APARs can be downloaded from:
http://www.ibm.com/servers/eserver/support/unixservers/aixfixes.html
NOTE: Affected customers are urged to upgrade to the latest
applicable Technology Level and Service Pack.
B. INTERIM FIXES
Interim fixes are available. The interim fix can be
downloaded via ftp from:
ftp://aix.software.ibm.com/aix/efixes/security/xfs_ifix.tar
The link above is to a tar file containing this signed
advisory, interim fix packages, and PGP signatures for each
package. The interim fixes below include prerequisite
checking. This will enforce the correct mapping between the
fixes and AIX Technology Levels.
AIX Fileset AIX Release and Interim fix
Technology Level
-----------------------------------------------------------------
X11.fnt.fontServer 5200-08 IZ06001.071023.epkg.Z
X11.fnt.fontServer 5200-09 IZ06001.071023.epkg.Z
X11.fnt.fontServer 5200-10 IZ06001.071023.epkg.Z
X11.fnt.fontServer 5300-04 IZ06648.071023.epkg.Z
X11.fnt.fontServer 5300-05 IZ06648.071023.epkg.Z
X11.fnt.fontServer 5300-06 IZ06648.071023.epkg.Z
IMPORTANT: If possible, it is recommended that a mksysb backup
of the system be created. Verify it is both bootable and
readable before proceeding.
These interim fixes have not been fully regression tested;
thus, IBM does not warrant the fully correct functionality of
the interim fix.
Verify you have retrieved the fixes intact:
The checksums below were generated using the "sum", "cksum",
"csum -h MD5" (md5sum), and "csum -h SHA1" (sha1sum) commands
and are as follows:
sum filename
------------------------------------
11058 328 IZ06001.071023.epkg.Z
60189 335 IZ06648.071023.epkg.Z
cksum filename
------------------------------------------
1175775233 334915 IZ06001.071023.epkg.Z
1434263760 342313 IZ06648.071023.epkg.Z
csum -h MD5 (md5sum) filename
----------------------------------------------------------
d264535d2a23d1914bd81632fbd6519e IZ06001.071023.epkg.Z
9815b9c89955c9cca4aa9f68d3a19250 IZ06648.071023.epkg.Z
csum -h SHA1 (sha1sum) filename
------------------------------------------------------------------
ddd762c6ce68e657bed89c29def8e3ca4356f9a1 IZ06001.071023.epkg.Z
4eda201efb0bdbf89273828ff6c68336f38c3757 IZ06648.071023.epkg.Z
To verify the sums, use the text of this advisory as input to
csum, md5sum, or sha1sum. For example:
csum -h SHA1 -i Advisory.asc
md5sum -c Advisory.asc
sha1sum -c Advisory.asc
These sums should match exactly. The PGP signatures in the
compressed tarball and on this advisory can also be used to
verify the integrity of the various files they correspond to.
If the sums or signatures cannot be confirmed, double check
the command results and the download site address. If those
are OK, contact IBM AIX Security at
security-alert@austin.ibm.com and describe the discrepancy.
C. INTERIM FIX INSTALLATION
These packages use the new Interim Fix Management Solution to
install and manage interim fixes. More information can be
found at:
http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html
To preview an epkg interim fix installation execute the
following command:
# emgr -e ipkg_name -p # where ipkg_name is the name of the
# interim fix package being previewed.
To install an epkg interim fix package, execute the following
command:
# emgr -e ipkg_name -X # where ipkg_name is the name of the
# interim fix package being installed.
The "X" flag will expand any filesystems if required.
VI. WORKAROUNDS
If you are running xfs there are no known workarounds. If the
service is not needed and is running, shut it down.
VII. OBTAINING FIXES
AIX Version 5 APARs can be downloaded from:
http://www.ibm.com/servers/eserver/support/unixservers/aixfixes.html
Security related Interim Fixes can be downloaded from:
ftp://aix.software.ibm.com/aix/efixes/security
VIII. CONTACT INFORMATION
If you would like to receive AIX Security Advisories via email,
please visit:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd
Comments regarding the content of this announcement can be
directed to:
security-alert@austin.ibm.com
To request the PGP public key that can be used to communicate
securely with the AIX Security Team you can either:
A. Send an email with "get key" in the subject line to:
security-alert@austin.ibm.com
B. Download the key from a PGP Public Key Server. The key ID is:
0xA6A36CCC
Please contact your local IBM AIX support center for any
assistance.
eServer is a trademark of International Business Machines
Corporation. IBM, AIX and pSeries are registered trademarks of
International Business Machines Corporation. All other trademarks
are property of their respective holders.
IX. ACKNOWLEDGMENTS
This vulnerability was reported by iDefense Labs.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)
iD8DBQFHJ1Z98lficKajbMwRAuLgAJ48/Nm3fr9Ln5ZOoJ8F619dH7unGwCfb4X5
GR8Gm8Hhh1d4TE+g2QHtSPc=
=QrFM
-----END PGP SIGNATURE-----
|
|
Go to the Top of This SecurityTracker Archive Page
|
