June 10, 2008
Information-technology Promotion Agency, Japan (IPA, Chairman Koji Nishigaki) has issued the Security Alert for X.Org Foundation X Server Vulnerability on June 10, 2008.
This vulnerability allows an attacker to execute arbitrary code when an X Server reads in a specially crafted PCF font file.
When exploited, a remote attacker could take control over the computer and, for example, execute unauthorized programs, delete files and install malicious tools such as bot software.
To fix the problem, update to the latest version provided by the developer or OS vendor.
The X.Org Foundation’s X Server is an open source implementation of the X Window System, which provides a GUI(*1) environment for Unix-based systems such as Linux. The X.Org Foundation’s X Server has a buffer overflow vulnerability due to improper handling of the PCF(*2) font. When exploited, an attacker could execute arbitrary code on the computer running the X Server.
X.Org Foundation has released an X.Org security advisory for this vulnerability on January 18, 2008, at:
For the latest information, please refer to:
The following creditee reported this vulnerability to IPA. JPCERT Coordination Center (JPCERT/CC) coordinated with the product vendors and published the vulnerability on June 10, 2008, under Information Security Early Warning Partnership.
Credit： Takuya Shiozaki of CODE blog (codeblog.org)
An attacker with an established, authorized connection to an X Server could execute unauthorized programs, delete files and install malicious tools such as bot software with the privileges of X Server by feeding a specially crafted PCF font file to the X Server.
If an X Server is accessible via networks, a remote attacker who has managed to pass X Server’s authentication also could execute unauthorized programs, delete files and install malicious tools such as bot software with the X Server privileges by having the X Server process a specially crafted PCF font file.
To fix the problem, update to the latest version provided by the product developer or OS vendor.
(CVSS base score)
|CVSS base score||7.4|
|AV:Access Vector||□ Local||■ Adjacent
|AC:Access Complexity||□ High||■ Medium||□ Low|
|Au:Authentication||□ Multiple||■ Single||□ None|
|C:Confidentiality Impact||□ None||□ Partial||■ Complete|
|I:Integrity Impact||□ None||□ Partial||■ Complete|
|A:Availability Impact||□ None||□ Partial||■ Complete|
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)