[Full-Disclosure] [ GLSA 200402-02 ] XFree86 Font Information File Buffer Overflow

From: Tim Yamin (plasmaroo_at_gentoo.org)
Date: 02/11/04

  • Next message: Tim Yamin: "[Full-Disclosure] [ GLSA 200402-03 ] Monkeyd Denial of Service vulnerability" 
    To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com, security-alerts@linuxsecurity.com, gentoo-core@gentoo.org, gentoo-announce@gentoo.org
Date: Wed, 11 Feb 2004 20:45:05 +0000

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 200402-02
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ~ http://security.gentoo.org
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    ~ Severity: High
    ~ Title: XFree86 Font Information File Buffer Overflow
    ~ Date: February 11, 2004
    ~ ID: 200402-02

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    Exploitation of a buffer overflow in the XFree86 Project Inc.'s XFree86
    X Window System allows local attackers to gain root privileges.

    Background
    ==========

    XFree86 provides a client/server interface between display hardware
    and the desktop environment while also providing both the windowing
    infrastructure and a standardized API. XFree86 is platform
    independent, network-transparent and extensible.

    Description
    ===========

    Exploitation of a buffer overflow in the XFree86 Window System
    discovered by iDefence [ 1 ] allows local attackers to gain root privileges.

    The problem exists in the parsing of the 'font.alias' file. The X server
    (running as root) fails to check the length of the user provided input,
    so a malicious user may craft a malformed 'font.alias' file causing a
    buffer overflow upon parsing, eventually leading to the execution of
    arbitrary code.

    To reproduce the overflow on the command line, you can run:

    # cat > fonts.dir <<EOF
    ~ 1
    ~ word.bdf \
    ~ -misc-fixed-medium-r-semicondensed--13-120-75-75-c-60-iso8859-1
    ~ EOF
    # perl -e 'print "0" x 1024 . "A" x 96 . "\n"' > fonts.alias
    # X :0 -fp $PWD

    {Some output removed}... Server aborting... Segmentation fault (core dumped)

    Impact
    ======

    Successful exploitation can lead to a root compromise provided
    that the attacker is able to execute commands in the X11
    subsystem. This can be done either by having console access to the
    target or through a remote exploit against any X client program
    such as a web-browser, mail-reader or game.

    Workaround
    ==========

    No immediate workaround is available; a software upgrade is required.

    Gentoo has released XFree 4.2.1-r3, 4.3.0-r4 and 4.3.99.902-r1 and
    encourages all users to upgrade their XFree86 installations. Vulnerable
    versions are no longer available in Portage.

    Resolution
    ==========

    All users are recommended to upgrade their XFree86 installation:

    ~ # emerge sync
    ~ # emerge -pv x11-base/xfree
    ~ # emerge x11-base/xfree

    References
    ==========

    [1] www.idefense.com/application/poi/display?id=72&type=vulnerabilities

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users machines is of utmost
    importance to us. Any security concerns should be addressed to
    security@gentoo.org or alternatively, you may file a bug at
    http://bugs.gentoo.org.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFAKpRPMMXbAy2b2EIRAhx7AKDJTGcpXUlZlLpZG/ulyxfoMQWLzQCgjYf0
    3ee6Y8mBkBpcUhzJgMLY5PQ=
    =nhw+
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Tim Yamin: "[Full-Disclosure] [ GLSA 200402-03 ] Monkeyd Denial of Service vulnerability"

    Relevant Pages
    • Quantcast