CVE-2007-3103

Fedora Core - Arbitrary File Permission Change via Symlink Attack on /tmp/.font-unix

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-3103. PoCs published by vl4dZ.

AI-analyzed exploit summary This exploit leverages a race condition in the Xorg-x11-xfs init script (CVE-2007-3103) to create a symlink from /tmp/.font-unix to /etc/passwd, allowing an attacker to append a root user entry and escalate privileges to root.

Description

The init.d script for the X.Org X11 xfs font server on various Linux distributions might allow local users to change the permissions of arbitrary files via a symlink attack on the /tmp/.font-unix temporary file.

Exploits (1)

exploitdb WORKING POC VERIFIED
by vl4dZ · bashlocallinux
https://www.exploit-db.com/exploits/5167

This exploit leverages a race condition in the Xorg-x11-xfs init script (CVE-2007-3103) to create a symlink from /tmp/.font-unix to /etc/passwd, allowing an attacker to append a root user entry and escalate privileges to root.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: xorg-x11-xfs <= 1.0.2-3.1
No auth needed
Prerequisites: xorg-x11-xfs service must be running or restarted by root · write access to /tmp
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (22)

Core 22
Core References
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10802
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/35674
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/24888
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2007-0520.html
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/26081
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2007/dsa-1342
Issue Tracking x_refsource_confirm
https://issues.rpath.com/browse/RPL-1485
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/27240
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/26056
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/473869/100/0/threaded
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/5167
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1018375
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-200710-11.xml
Vendor Advisory vendor-advisory x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00095.html
Issue Tracking x_refsource_confirm
http://bugzilla.redhat.com/242903
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/35375
Patch third-party-advisory x_refsource_idefense
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=557
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/26282
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2007-0519.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/40945
Issue Tracking x_refsource_confirm
http://bugs.gentoo.org/show_bug.cgi?id=185660
Vendor Advisory vendor-advisory x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00096.html

Scores

EPSS 0.0090
EPSS Percentile 55.0%

Details

CWE
CWE-59
Status published
Products (4)
fedoraproject/fedora_core 6.0
redhat/enterprise_linux 4.0 (3 CPE variants)
redhat/enterprise_linux_desktop 4.0
redhat/linux
Published Jul 15, 2007
Tracked Since Feb 18, 2026