Mandriva Linux Security Advisory - Integer overflow in the build_range function in X.Org X Font Server (xfs) before 1.0.5 allows context-dependent attackers to execute arbitrary code via (1) QueryXBitmaps and (2) QueryXExtents protocol requests with crafted size values, which triggers a heap-based buffer overflow. The swap_char2b function in X.Org X Font Server (xfs) before 1.0.5 allows context-dependent attackers to execute arbitrary code via (1) QueryXBitmaps and (2) QueryXExtents protocol requests with crafted size values that specify an arbitrary number of bytes to be swapped on the heap, which triggers heap corruption.
3590d95e704a2b4bb5d685df07d508326a9d5921828ec1b7d94910404cf25c19
Gentoo Linux Security Advisory GLSA 200710-11 - iDefense reported that the xfs init script does not correctly handle a race condition when setting permissions of a temporary file. Sean Larsson discovered an integer overflow vulnerability in the build_range() function possibly leading to a heap-based buffer overflow when handling QueryXBitmaps and QueryXExtents protocol requests. Sean Larsson also discovered an error in the swap_char2b() function possibly leading to a heap corruption when handling the same protocol requests. Versions less than 1.0.5 are affected.
511f463b3188bb6e41c1e0acef1a8578132acf147999f05fdb2f1f68b185056e
Debian Security Advisory 1385-1 Sean Larsson discovered that two code paths inside the X Font Server handle integer values insecurely, which may lead to the execution of arbitrary code.
7d2351d6bbaaa26298488b154c33c30a4f4f804aa58415cb559dec4380f72994
iDefense Security Advisory 10.02.07 - Remote exploitation of a multiple vulnerabilities in X.Org Foundation's X Font Server, as included in various vendors' operating system distributions, could allow an attacker to execute arbitrary code. iDefense has confirmed the existence of these vulnerabilities in XFS version X11R7.2-1.0.4. Previous versions may also be affected.
efa2e92184226bbbf67acb9bc96f53bb0476cd59fd1e3b59af0eef6729674b00