[UNIX] Multiple Vendor X Server fonts.dir File Parsing Integer Overflow Vulnerability
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 4 Apr 2007 17:39:54 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Multiple Vendor X Server fonts.dir File Parsing Integer Overflow
The X Window System (or X11) is "a graphical windowing system used on
Unix-like systems. It is based on a client/server model". Local
exploitation of an integer overflow vulnerability in multiple vendors'
implementations of the X Window System font information file parsing
component could allow execution of arbitrary commands with elevated
* in X.Org X11R7.1
* in X.Org X11R7.2
The vulnerability specifically exists in the parsing of the "fonts.dir"
font information file. When the element count on the first line of the
file specifies it contains more than 1,073,741,824 (2 to the power of 30)
elements, a potentially exploitable heap overflow condition occurs.
Exploitation allows attackers to execute arbitrary code with elevated
As the X11 server requires direct access to video hardware, it runs with
elevated privileges. A user compromising an X server would gain those
In order to exploit this vulnerability, an attacker would need to be able
to cause the X server to use a maliciously constructed font. The X11
server contains multiple methods for a user to define additional paths to
look for fonts. An exploit has been developed using the "-fp" command line
option to the X11 server to pass the location of the attack to the server.
It is also possible to use "xset" command with the "fp" option to perform
an attack on an already running server.
Some distributions allow users to start the X11 server only if they are
logged on at the console, while others will allow any user to start it.
Attempts at exploiting this vulnerability may put the console into an
unusable state. This will not prevent repeated exploitation attempts.
iDefense is currently unaware of any effective workaround for this issue.
The X.Org Foundation has addressed this vulnerability with source code
patches. More information can be found from their advisory at the
02/21/2007 - Initial vendor notification
02/21/2007 - Initial vendor response
04/03/2007 - Coordinated public disclosure
The information has been provided by Greg MacManus of iDefense Labs.
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [UNIX] Multiple Vendor X Server BDF Font Parsing Integer Overflow Vulnerability
- Next by Date: [UNIX] Multiple Vendor X Server XC-MISC Extension Memory Corruption Vulnerability
- Previous by thread: [UNIX] Multiple Vendor X Server BDF Font Parsing Integer Overflow Vulnerability
- Next by thread: [UNIX] Multiple Vendor X Server XC-MISC Extension Memory Corruption Vulnerability