[UNIX] Multiple Vendor X Server CID-keyed Fonts 'scan_cidfont()' Integer Overflow

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Multiple Vendor X Server CID-keyed Fonts 'scan_cidfont()' Integer Overflow
------------------------------------------------------------------------


SUMMARY

The X Window System is "a graphical windowing system based on a
client/server model". Local exploitation of an integer overflow
vulnerability in the 'scan_cidfont()' function in the X.Org and XFree86 X
server could allow an attacker to execute arbitrary code with privileges
of the X server, typically root.

DETAILS

Vulnerable Systems:
* X.org server version 6.8.2

The vulnerability specifically exists in the handling of 'CMap' and
'CIDFont' font data. When parsing this information no checks are made that
the count of items for the 'begincodespacerange', 'cidrange' and
'notdefrange' sections.

In addition to a 'standard' integer overflow, the implementation of
'vm_alloc()' makes it possible to overwrite memory before the allocated
region.

Analysis:
Successful local exploitation allows an attacker to execute arbitrary as
the root user. In order to exploit this vulnerability an attacker would
require the ability to send commands to an affected X server. This
typically requires access to the console, or access to the same account as
a user who is on the console. One method of gaining the required access
would be to remotely exploit a vulnerability in, for example, a graphical
web browser. This would then allow an attacker to exploit this
vulnerability and elevate their privileges to root.

Workaround:
Access to the vulnerable code can be prevented by removing the entry for
the Type1 font module from your Xservers configuration file, often stored
in /etc/X11 and named xorg.conf or XF86Config-4. To do this, remove the
following line from the 'Module' section:

Load "type1"

This will prevent Type 1 fonts from loading, which may affect the
appearance or operation of some applications.

Vendor response:
The X.Org foundation has addressed this vulnerability with libXfont
version 1.2.1. Additionally, patches have been made available for older
releases.
"The XFree86 Project Inc. is making available a source patch available at
ftp://xfree86.org/pub/XFree86/4.6.0/fixes/fix-01 that, in part, addresses
this vulnerability."

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3740>
CVE-2006-3740

Disclosure Timeline:
08/25/2006 Initial vendor notification
08/25/2005 Initial vendor response (X.Org)
09/10/2006 Initial vendor response (XFree86)
09/12/2006 Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDEFENSE.
The original article can be found at:
<http://www.idefense.com/intelligence/vulnerabilities/display.php?id=411>
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=411



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages