X.Org Security Advisory: Type1 CID fonts

Matthieu Herrb matthieu.herrb at laas.fr
Tue Sep 12 07:12:23 PDT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

X.Org Security Advisory, September 12, 2006
Integer overflows in handling CID encoded Type1 fonts
CVE-ID: 2006-3739, 2006-3740

Overview

It may be possible for a user with the ability to set the X server
font path, by making it point to a malicious font, to cause
arbitrary code execution or denial of service on the X server.

Vulnerability details

The lack of validation of input data while parsing CID encoded Type1
fonts in the "type1" module may cause some integer overflows while
computing the size of allocated data buffers when parsing a
font. Arbitrary code embedded in the malicious font can then be
executed by the X server.

To exploit these vulnerabilities, the ability to connect to the X server
in order to execute 'xset fp+' or the equivalent is required.

CVE-ID 2006-3740 describes a vulnerability in the scan_cidfont()
function in Type1/scanfont.c, while CVE ID 2006-3739 describes similar
problems in the CIDADM() function in Type1/afm.c.

Affected versions

All X servers using the "type1" font module with CID font support are
vulnerable to this issue. This includes all X.Org versions from 6.7.0
to 7.1 inclusive. Older versions are not supported by X.Org.

Workaround

If no CID-encoded Type 1 fonts are used, the "type1" module can be
disabled and replaced by the "freetype" module in /etc/X11/xorg.conf.
The freetype module is able to use Type1 fonts with standard (non CID)
encoding as well as True Type fonts.

Also, systems with memory address space randomization are less likely
to be successfully compromised, as the most effective way to exploit
these vulnerabilities rely on fixed address space.

Fix

These issues have been fixed in libXfont 1.2.1

For earlier versions, apply one of the following patches:

X.Org 6.8.2

<http://xorg.freedesktop.org/releases/X11R6.8.2/patches/>
3943de39723099857403a50bea2b4408  xorg-68x-cidfonts.patch
1ff2c998453e233f9278be76ccb8a827cabbb067  xorg-68x-cidfonts.patch

X.Org 6.9.0

<http://xorg.freedesktop.org/releases/X11R6.9.0/patches/>
MD5: 7c0c53f1c7ffd97b429eda1eefdff9cb  x11r6.9.0-cidfonts.diff
SHA1: bdb3b086e18fa1ee81020fa6a0657f097db7d037  x11r6.9.0-cidfonts.diff

X.Org 7.0 - libXfont 1.0.0

<http://xorg.freedesktop.org/releases/X11R7.0/patches/>
MD5: 8bcbe12444326fab69f8a899c78519ea  libXfont-1.0.0-cidfonts.diff
SHA1: b0778179be6a52c5f10ddbb7cd349c06c3c8bd2d  libXfont-1.0.0-cidfonts.diff

X.Org 7.1 - libXfont 1.1.0

<http://xorg.freedesktop.org/releases/X11R7.1/patches/>
MD5: 8bcbe12444326fab69f8a899c78519ea  libXfont-1.1.0-cidfonts.diff
SHA1: b0778179be6a52c5f10ddbb7cd349c06c3c8bd2d  libXfont-1.1.0-cidfonts.diff

Thanks

These vulnerabilities were reported to the X.Org Foundation by
iDefense (IDEF1691 and IDEF1751).
- --
Matthieu Herrb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iQCVAwUBRQbAR3KGCS6JWssnAQIQYwP/Vf21yp8bqTW03lwdaBqeNovDk/o9PJDZ
eEnfwwmjU1Y/hm478UCfarMLnLulxk3dOm5miDEawGtDp1uOC2oXdFKgAB+hyV0d
BQnDP5Ydy9GSOKg1Rttl3E9h5m3h0dKkRgR7TjLj95DZAy3Avbicqn622zL4OXFk
kfdC39Vmqlk=
=UOg5
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4033 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.x.org/archives/xorg/attachments/20060912/159d3cb6/attachment.bin>

More information about the xorg mailing list