[ANNOUNCE] X.Org Security Advisory: Multiple issues in libXfont
Alan Coopersmith
alan.coopersmith at oracle.com
Tue May 13 08:39:25 PDT 2014
On 05/13/14 08:08 AM, Alan Coopersmith wrote:
> Most of these issues stem from libXfont trusting the font server to send
> valid protocol data, and not verifying that the values will not overflow
> or cause other damage. This code is commonly called from the X server
> when an X Font Server is active in the font path, so may be running in a
> setuid-root process depending on the X server in use. Exploits of this
> path could be used by a local, authenticated user to attempt to raise
> privileges; or by a remote attacker who can control the font server to
> attempt to execute code with the privileges of the X server. (CVE-2014-XXXA
> is the exception, as it does not involve communication with a font server,
> as explained below.)
Sorry, missed an update when filling in the assigned CVE's - the above statement
should say "CVE-2014-0209 is the exception" as explained in:
> - CVE-2014-0209: integer overflow of allocations in font metadata file parsing
>
> When a local user who is already authenticated to the X server adds
> a new directory to the font path, the X server calls libXfont to open
> the fonts.dir and fonts.alias files in that directory and add entries
> to the font tables for every line in it. A large file (~2-4 gb) could
> cause the allocations to overflow, and allow the remaining data read
> from the file to overwrite other memory in the heap.
>
> Affected functions: FontFileAddEntry(), lexAlias()
--
-Alan Coopersmith- alan.coopersmith at oracle.com
Oracle Solaris Engineering - http://blogs.oracle.com/alanc
More information about the xorg-devel
mailing list