RHEL 2.1 : XFree86 (RHSA-2003:289)

This script is Copyright (C) 2004-2014 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing one or more security updates.

Description :

Updated XFree86 packages provide security fixes to font libraries and
XDM.

XFree86 is an implementation of the X Window System providing the core
graphical user interface and video drivers. XDM is the X display
manager.

Multiple integer overflows in the transfer and enumeration of font
libraries in XFree86 allow local or remote attackers to cause a denial
of service or execute arbitrary code via heap-based and stack-based
buffer overflow attacks. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CVE-2003-0730 to this
issue.

The risk to users from this vulnerability is limited because only
clients can be affected by these bugs, however in some (non-default)
configurations, both xfs and the X Server can act as clients to remote
font servers.

XDM does not verify whether the pam_setcred function call succeeds,
which may allow attackers to gain root privileges by triggering error
conditions within PAM modules, as demonstrated in certain
configurations of the pam_krb5 module. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CVE-2003-0690
to this issue.

Users are advised to upgrade to these updated XFree86 4.1.0 packages,
which contain backported security patches and are not vulnerable to
these issues.

See also :

https://www.redhat.com/security/data/cve/CVE-2003-0690.html
https://www.redhat.com/security/data/cve/CVE-2003-0730.html
http://rhn.redhat.com/errata/RHSA-2003-289.html

Solution :

Update the affected packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Family: Red Hat Local Security Checks

Nessus Plugin ID: 12424 ()

Bugtraq ID:

CVE ID: CVE-2003-0690
CVE-2003-0730