Synopsis

Important: XFree86 security update

Type/Severity

Security Advisory: Important

Topic

Updated XFree86 packages that fix several security issues are now available
for Red Hat Enterprise Linux 2.1 and 3.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

[Updated 18th January 2008]
The original packages distributed with this errata had a bug which could
cause some X applications to fail on 32-bit platforms. We have updated the
packages to correct this bug.

Description

XFree86 is an implementation of the X Window System, which provides the
core functionality for the Linux graphical desktop.

Two integer overflow flaws were found in the XFree86 server's EVI and
MIT-SHM modules. A malicious authorized client could exploit these issues
to cause a denial of service (crash), or potentially execute arbitrary code
with root privileges on the XFree86 server. (CVE-2007-6429)

A heap based buffer overflow flaw was found in the way the XFree86 server
handled malformed font files. A malicious local user could exploit this
issue to potentially execute arbitrary code with the privileges of the
XFree86 server. (CVE-2008-0006)

A memory corruption flaw was found in the XFree86 server's XInput
extension. A malicious authorized client could exploit this issue to cause
a denial of service (crash), or potentially execute arbitrary code with
root privileges on the XFree86 server. (CVE-2007-6427)

An information disclosure flaw was found in the XFree86 server's TOG-CUP
extension. A malicious authorized client could exploit this issue to cause
a denial of service (crash), or potentially view arbitrary memory content
within the XFree86 server's address space. (CVE-2007-6428)

An integer and heap overflow flaw were found in the X.org font server, xfs.
A user with the ability to connect to the font server could have been able
to cause a denial of service (crash), or potentially execute arbitrary code
with the permissions of the font server. (CVE-2007-4568, CVE-2007-4990)

A flaw was found in the XFree86 server's XC-SECURITY extension, that could
have allowed a local user to verify the existence of an arbitrary file,
even in directories that are not normally accessible to that user.
(CVE-2007-5958)

Users of XFree86 are advised to upgrade to these updated packages, which
contain backported patches to resolve these issues.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Affected Products

• Red Hat Enterprise Linux Server 3 x86_64
• Red Hat Enterprise Linux Server 3 ia64
• Red Hat Enterprise Linux Server 3 i386
• Red Hat Enterprise Linux Workstation 3 x86_64
• Red Hat Enterprise Linux Workstation 3 ia64
• Red Hat Enterprise Linux Workstation 3 i386
• Red Hat Enterprise Linux Desktop 3 x86_64
• Red Hat Enterprise Linux Desktop 3 i386
• Red Hat Enterprise Linux for IBM z Systems 3 s390x
• Red Hat Enterprise Linux for IBM z Systems 3 s390
• Red Hat Enterprise Linux for Power, big endian 3 ppc

Fixes

• BZ - 281921 - CVE-2007-4568 xfs integer overflow in the build_range function
• BZ - 322961 - CVE-2007-4990 xfs heap overflow in the swap_char2b function
• BZ - 391841 - CVE-2007-5958 Xorg / XFree86 file existence disclosure vulnerability
• BZ - 413721 - CVE-2007-6429 xorg / xfree86: integer overflow in EVI extension
• BZ - 413741 - CVE-2007-6429 xorg / xfree86: integer overflow in MIT-SHM extension
• BZ - 413791 - CVE-2007-6428 xorg / xfree86: information disclosure via TOG-CUP extension
• BZ - 413811 - CVE-2007-6427 xorg / xfree86: memory corruption via XInput extension
• BZ - 428044 - CVE-2008-0006 Xorg / XFree86 PCF font parser buffer overflow

CVEs

• CVE-2008-0006
• CVE-2007-6428
• CVE-2007-6429
• CVE-2007-5958
• CVE-2007-6427
• CVE-2007-4568
• CVE-2007-4990

References

• http://www.redhat.com/security/updates/classification/#important

This erratum does not contain any packages.