[UNIX] Large Form Text Fields in konqueror Causes X to Crash (DoS)

From: support@securiteam.com
Date: 12/12/01


From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 12 Dec 2001 16:45:27 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Large Form Text Fields in konqueror Causes X to Crash (DoS)
------------------------------------------------------------------------

SUMMARY

When using the konqueror web browser and inputting around 9000+ A's (or
whatever) into a search box (for instance www.yahoo.com's web search box)
- it is possible to crash the whole X environment. Since the 9000x'A' can
be "Forced" as an input on the user (by using JavaScript, default values,
etc), this would allow a remote attacker to cause the program to crash
remotely.

DETAILS

Vulnerable systems:
K Desktop version 2.1.2 with XFree86 version prior to 4.1.0

Immune systems:
XFree86 version above 4.1.0

Example:
By including the following HTML code into an existing file the
vulnerability can be verified:
<input type="text" value="(9000 A's)">

You will need to place a JavaScript code to forcefully cause the user to
submit, i.e. onload = document.forms[0].submit()
Since the vulnerability only manifests itself when the form is submitted.

Solution:
Apply the below provided patch.

Patch:
Index: fbglyph.c
===================================================================
RCS file: /xf86/xc/programs/Xserver/fb/fbglyph.c,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- fbglyph.c 2001/05/29 04:54:09 1.11
+++ fbglyph.c 2001/09/07 15:16:00 1.12
@@ -34,9 +34,19 @@
     int height)
 {
     BoxRec box;
+ BoxPtr pExtents = REGION_EXTENTS (0, pRegion);
 
- if (x + width < 0) return FALSE;
- if (y + height < 0) return FALSE;
+ /*
+ * Check extents by hand to avoid 16 bit overflows
+ */
+ if (x < (int) pExtents->x1)
+ return FALSE;
+ if ((int) pExtents->x2 < x + width)
+ return FALSE;
+ if (y < (int) pExtents->y1)
+ return FALSE;
+ if ((int) pExtents->y2 < y + height)
+ return FALSE;
     box.x1 = x;
     box.x2 = x + width;
     box.y1 = y;
@@ -261,10 +271,10 @@
        FbBits,
        int,
        int);
- FbBits *dst;
- FbStride dstStride;
- int dstBpp;
- int dstXoff, dstYoff;
+ FbBits *dst = 0;
+ FbStride dstStride = 0;
+ int dstBpp = 0;
+ int dstXoff = 0, dstYoff = 0;
     
     glyph = 0;
     if (pGC->fillStyle == FillSolid && pPriv->and == 0)
@@ -352,10 +362,10 @@
        FbBits,
        int,
        int);
- FbBits *dst;
- FbStride dstStride;
- int dstBpp;
- int dstXoff, dstYoff;
+ FbBits *dst = 0;
+ FbStride dstStride = 0;
+ int dstBpp = 0;
+ int dstXoff = 0, dstYoff = 0;
     
     glyph = 0;
     if (pPriv->and == 0)

ADDITIONAL INFORMATION

The information has been provided by <mailto:smackenz@sdf.lonestar.org>
scott, <mailto:jscimone@cc.gatech.edu> John Scimone, and
<mailto:matthieu.herrb@laas.fr> Matthieu Herrb.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.