X.org X11 up to 7.1-1.1.0 DBE Extension ProcDbeGetVisualInfo integer coercion
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.4 | $0-$5k | 0.00 |
Summary
A vulnerability, which was classified as problematic, was found in X.org X11 up to 7.1-1.1.0. Affected by this vulnerability is the function ProcDbeGetVisualInfo of the component DBE Extension. Such manipulation leads to integer coercion.
This vulnerability is documented as CVE-2006-6101. There is not any exploit available.
Applying a patch is advised to resolve this issue.
Details
A vulnerability was found in X.org X11 up to 7.1-1.1.0 (Windowing System Software). It has been rated as critical. Affected by this issue is the function ProcDbeGetVisualInfo of the component DBE Extension. The manipulation with an unknown input leads to a integer coercion vulnerability. Using CWE to declare the problem leads to CWE-192. Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types. Impacted is confidentiality, integrity, and availability. CVE summarizes:
Integer overflow in the ProcRenderAddGlyphs function in the Render extension for X.Org 6.8.2, 6.9.0, 7.0, and 7.1, and XFree86 X server, allows local users to execute arbitrary code via a crafted X protocol request that triggers memory corruption during processing of glyph management data structures.
The bug was discovered 01/09/2007. The weakness was released 01/10/2007 by Sean Larsson with iDefense (Website). The advisory is shared for download at labs.idefense.com. This vulnerability is handled as CVE-2006-6101 since 11/24/2006. The attack may be launched remotely. No form of authentication is required for exploitation. There are known technical details, but no exploit is available.
It is declared as proof-of-concept. The vulnerability scanner Nessus provides a plugin with the ID 67435 (Oracle Linux 4 : xorg-x11 (ELSA-2007-0003)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Oracle Linux Local Security Checks and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 156205 (Oracle Enterprise Linux Update for XFree86 (ELSA-2007:0002)).
Applying a patch is able to eliminate this problem. The bugfix is ready for download at x.org. A possible mitigation has been published 5 days after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at X-Force (31376), Tenable (67435), SecurityFocus (BID 21968†), OSVDB (32085†) and Secunia (SA23670†). Entries connected to this vulnerability are available at VDB-2817, VDB-2815 and VDB-34129. VulDB is the best source for vulnerability data and more expert information about this specific topic.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.x.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.3VulDB Meta Temp Score: 6.4
VulDB Base Score: 7.3
VulDB Temp Score: 6.4
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Integer coercionCWE: CWE-192 / CWE-189
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: Yes
Availability: 🔍
Status: Proof-of-Concept
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 67435
Nessus Name: Oracle Linux 4 : xorg-x11 (ELSA-2007-0003)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
Nessus Port: 🔍
OpenVAS ID: 58133
OpenVAS Name: Slackware Advisory SSA:2007-066-02 x11
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
Reaction Time: 🔍
Exposure Time: 🔍
Patch: x.org
Timeline
11/24/2006 🔍12/31/2006 🔍
12/31/2006 🔍
01/09/2007 🔍
01/09/2007 🔍
01/10/2007 🔍
01/10/2007 🔍
01/10/2007 🔍
01/10/2007 🔍
01/12/2007 🔍
01/14/2007 🔍
01/15/2007 🔍
07/12/2013 🔍
07/13/2019 🔍
Sources
Vendor: x.orgAdvisory: labs.idefense.com⛔
Researcher: Sean Larsson
Organization: iDefense
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2006-6101 (🔍)
GCVE (CVE): GCVE-0-2006-6101
GCVE (VulDB): GCVE-100-2816
OVAL: 🔍
X-Force: 31376 - X.Org and XFree86 X server DBE ProcDbeGetVisualInfo() integer overflow, High Risk
SecurityFocus: 21968 - X.Org DBE And Render Extensions Multiple Local Integer Overflow Vulnerabilities
Secunia: 23670 - X.Org X11 "DBE" and "Render" Extensions Vulnerabilities, Less Critical
OSVDB: 32085 - Multiple Vendor DBE Extension ProcDbeGetVisualInfo Function Overflow
SecurityTracker: 1017495
SecuriTeam: securiteam.com
Vulnerability Center: 14027 - X.Org Render Extension Local Code Execution due to Integer Overflow in ProcRenderAddGlyphs Function, High
Vupen: ADV-2007-0108
See also: 🔍
Entry
Created: 01/12/2007 10:43Updated: 07/13/2019 17:03
Changes: 01/12/2007 10:43 (106), 07/13/2019 17:03 (2)
Complete: 🔍
Cache ID: 216:EF0:103
VulDB is the best source for vulnerability data and more expert information about this specific topic.
No comments yet. Languages: en.
Please log in to comment.