[ANNOUNCE] various integer overflow vulnerabilites in xserver, libX11 and libXfont

Matthieu Herrb matthieu.herrb at laas.fr
Tue Apr 3 15:01:10 PDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

X.Org security advisory, April 3rd, 2007
Multiple vulnerability in X server, libXfont and libX11
CVE IDs: CVE-2007-1003 CVE-2007-1351 CVE-2007-1352 CVE-2007-1352

Overview

Lack of validation of parameters passed to the X server and libX11 by
client application can lead to various kinds of integer overflows or
stack overflows that can be used to overwrite data in the X server
memory.

Vulnerabilities details

* CVE-2007-1003 XC-MISC extension integer overflow

  iDefense Lab security researchers discovered that the parameter used
  for ALLOCATE_LOCAL in ProcXCMiscGetXIDList() is computed from an
  expression using a client-provided value that can be arbitrarily
  big. This can lead to an integer overflow in the evaluation of the
  expression or, when ALLOCATE_LOCAL() is using alloca(), to memory
  corruption if the parameter is big enough to fall out of the stack.

  The vulnerable request is only available to an already authenticated
  client of the X server .

* CVE 2007-1351 bdf font parsing integer overflow

  iDefense Lab security researchers discovered that the BDF font
  parsing code in libXfont lack some input validation checks,
  permitting a specially crafted font in the BDF format to trigger an
  integer overflow in the parameter to a call to xalloc() in the
  bdfReadCharacters() function in bdfread.c, leading to memory
  corruption.

  An attacker needs to already have access to the system either as an
  authenticated client of the running X server, or with the ability to
  (re)start the X server.

  This vulnerability also affects the Freetype 2 library up to an
  including 2.3.2 . Refer to the  Freetype web site to obtain a
  patch.

* CVE 2007-1352 fonts.dir file parsing integer overflow

  iDefense Lab security researcher have identified that the code
  parsing the fonts.dir file in libXfont lacks validation of the
  initial number of fonts declared in this file. This can be used to
  trigger an integer overflow in the computation of the parameter to
  xalloc() in the FontFileInitTable() function, leading to memory
  corruption.

  An attacker needs to already have access to the system either as an
  authenticated client of the running X server, or with the ability to
  (re)start the X server.

* CVE 2007-1667 libX11 XInitImage input validation

  Sami Leides has reported to the Debian BTS that some manually
  crafted images can lead to memory corruptions in libX11, due to
  incomplete input validation in XInitImage(), in ImUtils.c.
  It has be demonstrated that at least xwud and ImageMagick can be
  used to trigger calls to XInitImage() with incorrect parameters when
  viewing a malicious image. Other image viewing programs can probably
  be used too.

  This vulnerability can be exploited by having the user already
  connected to the X server to launch a viewer on the malicious
  image.

Affected versions

All released X.Org versions of xserver, libX11 and libXfont are
vulnerable to the respective problems. Other X window system
implementations based on the X11R6 sample implementation are probably
vulnerable too.

Fix

Apply one of the following patches

X.Org 7.2
http://xorg.freedesktop.org/archive/X11R7.2/patches/

MD5: d52da02163cd401b99b6e3a08d7ff068 xorg-libX11-1.1.1-xinitimage.diff
SHA1: a0f904115ad9dc441bebcf2f8267f9751322b727
xorg-libX11-1.1.1-xinitimage.diff

MD5: 76e3330c9bace76318e096b3c2182101 xorg-libXfont-1.2.7-bdf-fontdir.diff
SHA1: 3e57aca6215e1212e53b1a3b1d243916ac7fa703
xorg-libXfont-1.2.7-bdf-fontdir.diff

MD5: 0fa07a8fb2bc14fa01fc29e42b89c59e xorg-xserver-1.2.0-xcmisc.diff
SHA1: 3557cbe23be6912106ed7220d95301311fb93a26
xorg-xserver-1.2.0-xcmisc.diff

These patches can be applied to earlier versions of X.Org too with a
few manual tweaks.

Thanks

Sean Larsson of iDefense Labs discovered the XC-MISC vulnerability and
provided sample code and advices in fixing it.
- --
Matthieu Herrb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQCVAwUBRhLOpnKGCS6JWssnAQKphwQAi+8ofGsHiPpYuI01iIxHuilvJobOi+UT
yPShf25RJa4JImUOyZ2KMELU0cpoy1qYphStsLgnxXt5rf9UpG1HRoHaLTNRP6d4
iP7Val2uuf8K6aI2EibyohF87Fv9OcC5aMpHLoGBALrg530qA48cqdRIeYvDgP19
v4VuQmBsqIQ=
=WuJc
-----END PGP SIGNATURE-----

More information about the xorg-announce mailing list