Multiple integer overflows in XFree86 (local/remote)

• Previous message: Conectiva Updates: "[CLA-2003:727] Conectiva Security Announcement - sendmail"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 30 Aug 2003 02:25:55 -0700
To: bugtraq@securityfocus.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Remote and local vulnerabilities in XFree86 font libraries

Product: XFree86 (4.3.0)
Impact: Potential privilege escalation / remote code execution
Bug class: Integer overflow
Vendor notified: Yes
Fix available: Yes (see end of advisory)

Details:
I have identified several bugs in the font libraries of the current version
(4.3.0) of the XFree86 font libraries. These bugs could potentially
lead to the execution of arbitrary code by a remote user in any process
which calls the functions in question. The functions are related to
the transfer and enumeration of fonts from font servers to clients, limiting
the range of the exposure caused by these bugs.

Specifically, several variables passed from a font server to a
client are not adequately checked, allowing integer overflows to cause
erroneous
sizes of buffers to be calculated. These erroneous calculations can
lead to
buffers on the heap and stack overflowing, potentially leading to arbitrary
code
execution. As stated before, the risk is limited by the fact that only
clients can be affected remotely by these bugs, but in some (non default)
configurations, both xfs and XServer can act as clients to remote font
servers.
In these configurations, both xfs and XServer could be potentially compromised
remotely. Also, it is possible for a local unprivileged user to alter

the configuration of Xserver in such a manner as to force it to load
a font from an arbitrary font server. Since Xserver is setuid root by
default, a local user may potentially gain root privileges.

Workaround:
To prevent the local privilege escalation, remove the suid bit from the
Xserver binary:
        chmod u-s XFree86

Ensure xfs and Xserver do not include untrusted font servers in their
font
search paths.

Fix:
The current CVS version of XFree86 has been updated to correct these
issues.

Discovered by:
blexim@hush.com of isen
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAj9IinUACgkQsE7ilXLZoGZziQCgv3YM2FxUt9zVUFPKqpvdoPWON2kA
oLC5uhB0+QXxnjikMqt/3P0S462G
=MlA3
-----END PGP SIGNATURE-----

Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427

• Previous message: Conectiva Updates: "[CLA-2003:727] Conectiva Security Announcement - sendmail"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]