SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   VMware ESXi Vendors:   VMware
(VMware Issues Fix for ESX Server) X Buffer Overflow in Processing CID-encoded Type1 Fonts Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1017829
SecurityTracker URL:  http://securitytracker.com/id/1017829
CVE Reference:   CVE-2006-3739, CVE-2006-3740   (Links to External Site)
Date:  Mar 30 2007
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in X. A remote authenticated user can execute arbitrary code on the target system. VMware ESX Server is affected.

The software does not properly validate data when parsing CID-encoded Type1 fonts. A remote authenticated user with the ability to set the X server font path can set the path to point to a specially crafted font to trigger an integer overflow in the "type1" module and execute arbitrary code on the target system.

The scan_cidfont() function in 'Type1/scanfont.c' is affected [CVE-2006-3739]. The CIDADM() function in 'Type1/afm.c' is affected [CVE-2006-3740].

The vendor credits iDefense with reporting these vulnerabilities.

Impact:   A remote authenticated user can execute arbitrary code on the target system.
Solution:   VMware has issued the following patches.

ESX 3.0.1
http://www.vmware.com/support/vi3/doc/esx-5031800-patch.html
md5sum c266474de27c569631b93bf566ad74f2 ESX-5031800.tgz
http://www.vmware.com/support/vi3/doc/esx-5885387-patch.html
md5sum 423e29b266f0d3181f2211dc6679b63e ESX-5885387.tgz
http://www.vmware.com/support/vi3/doc/esx-6856573-patch.html
md5sum 16bb030929bb005fe26c09f637cb9cd8 ESX-6856573.tgz

ESX 3.0.0
http://www.vmware.com/support/vi3/doc/esx-3003211-patch.html
md5sum 846fb515a9786646dc886cef8f09eac0 ESX-3003211.tgz
http://www.vmware.com/support/vi3/doc/esx-3194055-patch.html
md5sum db07e1cc41b715209034f15910c9847f ESX-3194055.tgz
http://www.vmware.com/support/vi3/doc/esx-3496682-patch.html
md5sum 929c6830a4cdc939b0b2a35e83e3b1ac ESX-3496682.tgz


ESX 2.5.4
http://www.vmware.com/support/esx25/doc/esx-254-200702-patch.html
md5sum: 70006981fcdc6708bc08515400855a68

ESX 2.5.3
http://www.vmware.com/support/esx25/doc/esx-253-200702-patch.html
md5sum: 19b874bf983b176dc3fc733325e807dc

ESX 2.1.3
http://www.vmware.com/support/esx21/doc/esx-213-200702-patch.html
md5sum: c74b64a4f936f605e98eada10a3fc1ae

ESX 2.0.2
http://www.vmware.com/support/esx2/doc/esx-202-200702-patch.html
md5sum: 23258490ad68bc3fe94c7cd30fc1aee2

Cause:   Boundary error

Message History:   This archive entry is a follow-up to the message listed below.
Sep 12 2006 X Buffer Overflow in Processing CID-encoded Type1 Fonts Lets Remote Users Execute Arbitrary Code



 Source Message Contents

Subject:  [Full-disclosure] VMSA-2007-0002 VMware ESX security updates


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2007-0002
Synopsis:          VMware ESX server security updates
Issue date:        2007-03-29
Updated on:        2007-03-29
CVE numbers:       CVE-2006-3739 CVE-2006-3740 CVE-2006-6097
                   CVE-2006-4334 CVE-2006-4338 CVE-2006-4335
                   CVE-2006-4336 CVE-2006-4337
- -------------------------------------------------------------------

1. Summary:

Updated ESX Patches address several security issues.

2. Relevant releases:

VMware ESX 3.0.1 without patches ESX-5031800, ESX-5885387, ESX-6856573
VMware ESX 3.0.0 without patches ESX-3003211, ESX-3194055, ESX-3496682
VMware ESX 2.5.4 prior to upgrade patch 5 (Build# 39751)
VMware ESX 2.5.3 prior to upgrade patch 8 (Build# 39683)
VMware ESX 2.1.3 prior to upgrade patch 5 (Build# 39687)
VMware ESX 2.0.2 prior to upgrade patch 5 (Build# 39682)

3. Problem description:

Problems addressed by these patches:

a.  XFree86 update (CVE-2006-3739, CVE-2006-3740):

    ESX 3.0.1: does not have this problem
    ESX 3.0.0: does not have this problem
    ESX 2.5.4: corrected by ESX 2.5.4 Upgrade Patch 5 (Build# 39751)
    ESX 2.5.3: corrected by ESX 2.5.3 Upgrade Patch 8 (Build# 39683)
    ESX 2.1.3: corrected by ESX 2.1.3 Upgrade Patch 5 (Build# 39687)
    ESX 2.0.2: corrected by ESX 2.0.2 Upgrade Patch 5 (Build# 39682)

    A security issue with integer overflow in the CIDAFM function
    in X.Org 6.8.2 and XFree86 X server may allow local users to execute
    arbitrary code via crafted Adobe Font Metrics (AFM) files with a
    modified number of character metrics, which could lead to a
    heap-based buffer overflow.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    assigned the name CVE-2006-3739 to this issue.

    A security issue with integer overflow in the scan_cidfont function
    in X.Org 6.8.2 and XFree86 X server may allow local users to execute
    arbitrary code via crafted (1) CMap and (2) CIDFont font data with
    modified item counts in the (a) begincodespacerange, (b) cidrange,
    and (c) notdefrange sections.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    assigned the name CVE-2006-3740 to this issue.

b.  GNU tar update (CVE-2006-6097):

    ESX 3.0.1: corrected by patch ESX-5031800
    ESX 3.0.0: corrected by patch ESX-3003211
    ESX 2.5.4: corrected by ESX 2.5.4 Upgrade Patch 5 (Build# 39751)
    ESX 2.5.3: corrected by ESX 2.5.3 Upgrade Patch 8 (Build# 39683)
    ESX 2.1.3: corrected by ESX 2.1.3 Upgrade Patch 5 (Build# 39687)
    ESX 2.0.2: corrected by ESX 2.0.2 Upgrade Patch 5 (Build# 39682)

    A security issue with GNU tar 1.16 and 1.15.1, and possibly other
    versions, may be able to trick tar into creating and following a
    symbolic link, potentially overwriting files.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    assigned the name CVE-2006-6097 to this issue.

c.  GNU gzip update (CVE-2006-4334, CVE-2006-4338, CVE-2006-4335,
                     CVE-2006-4336, CVE-2006-4337)

    ESX 3.0.1: corrected by patch ESX-5885387
    ESX 3.0.0: corrected by patch ESX-3194055
    ESX 2.5.4: corrected by ESX 2.5.4 Upgrade Patch 5 (Build# 39751)
    ESX 2.5.3: corrected by ESX 2.5.3 Upgrade Patch 8 (Build# 39683)
    ESX 2.1.3: corrected by ESX 2.1.3 Upgrade Patch 5 (Build# 39687)
    ESX 2.0.2: corrected by ESX 2.0.2 Upgrade Patch 5 (Build# 39682)

    Tavis Ormandy of the Google Security Team discovered several denial
    of service flaws and code execution flaws in the way gzip expanded
    archive files.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    assigned the names CVE-2006-4334, CVE-2006-4338, CVE-2006-4335,
    CVE-2006-4336, CVE-2006-4337 to this issue.

d.  VMware update to protect against guest kernel memory corruption
    and possible denial of service in the guest OS.  Including
    syscall instruction handling and unexpected panic message in
    64-bit virtual machines.

    ESX 3.0.1: corrected by patch ESX-6856573
    ESX 3.0.0: corrected by patch ESX-3496682
    ESX 2.5.4: corrected by ESX 2.5.4 Upgrade Patch 5 (Build# 39751)
    ESX 2.5.3: corrected by ESX 2.5.3 Upgrade Patch 8 (Build# 39683)
    ESX 2.1.3: corrected by ESX 2.1.3 Upgrade Patch 5 (Build# 39687)
    ESX 2.0.2: corrected by ESX 2.0.2 Upgrade Patch 5 (Build# 39682)

4. Solution:

Please review the Patch notes for your version of ESX and verify the
md5sum of your downloaded file.

  ESX 3.0.1
  http://www.vmware.com/support/vi3/doc/esx-5031800-patch.html
    md5sum c266474de27c569631b93bf566ad74f2 ESX-5031800.tgz
  http://www.vmware.com/support/vi3/doc/esx-5885387-patch.html
    md5sum 423e29b266f0d3181f2211dc6679b63e ESX-5885387.tgz
  http://www.vmware.com/support/vi3/doc/esx-6856573-patch.html
    md5sum 16bb030929bb005fe26c09f637cb9cd8 ESX-6856573.tgz

  ESX 3.0.0
  http://www.vmware.com/support/vi3/doc/esx-3003211-patch.html
    md5sum 846fb515a9786646dc886cef8f09eac0 ESX-3003211.tgz
  http://www.vmware.com/support/vi3/doc/esx-3194055-patch.html
    md5sum db07e1cc41b715209034f15910c9847f ESX-3194055.tgz
  http://www.vmware.com/support/vi3/doc/esx-3496682-patch.html
    md5sum 929c6830a4cdc939b0b2a35e83e3b1ac ESX-3496682.tgz


  ESX 2.5.4
  http://www.vmware.com/support/esx25/doc/esx-254-200702-patch.html
    md5sum:  70006981fcdc6708bc08515400855a68

  ESX 2.5.3
  http://www.vmware.com/support/esx25/doc/esx-253-200702-patch.html
    md5sum:  19b874bf983b176dc3fc733325e807dc

  ESX 2.1.3
  http://www.vmware.com/support/esx21/doc/esx-213-200702-patch.html
    md5sum:  c74b64a4f936f605e98eada10a3fc1ae

  ESX 2.0.2
  http://www.vmware.com/support/esx2/doc/esx-202-200702-patch.html
    md5sum:  23258490ad68bc3fe94c7cd30fc1aee2


5. References:

Patch URL:http://www.vmware.com/support/esx25/doc/esx-254-200702-patch.html
Patch URL:http://www.vmware.com/support/esx25/doc/esx-253-200702-patch.html
Patch URL:http://www.vmware.com/support/esx21/doc/esx-213-200702-patch.html
Patch URL:http://www.vmware.com/support/esx2/doc/esx-202-200702-patch.html
Patch URL:http://www.vmware.com/support/vi3/doc/esx-5031800-patch.html
Patch URL:http://www.vmware.com/support/vi3/doc/esx-5885387-patch.html
Patch URL:http://www.vmware.com/support/vi3/doc/esx-6856573-patch.html
Patch URL:http://www.vmware.com/support/vi3/doc/esx-3003211-patch.html
Patch URL:http://www.vmware.com/support/vi3/doc/esx-3194055-patch.html
Patch URL:http://www.vmware.com/support/vi3/doc/esx-3496682-patch.html
Knowledge base URL:http://kb.vmware.com/kb/5031800
Knowledge base URL:http://kb.vmware.com/kb/5885387
Knowledge base URL:http://kb.vmware.com/kb/6856573
Knowledge base URL:http://kb.vmware.com/kb/3003211
Knowledge base URL:http://kb.vmware.com/kb/3194055
Knowledge base URL:http://kb.vmware.com/kb/3496682
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3739
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3740
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6097
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4334
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4338
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4335
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4336
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4337

6. Contact:

E-mail:  security@vmware.com
http://www.vmware.com/security

VMware Security Response Policy
http://www.vmware.com/vmtn/technology/security/security_response.html

Copyright 2007 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGDHdX6KjQhy2pPmkRCLoBAJ9bOZkAxTsq6cJxQeZee471nNxWzQCfanj3
boDofxC/Ruj17vUFQbPGj5c=
=CABd
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC