XFree86 Buffer Overflow May Cause Denial of Service Conditions
SecurityTracker Alert ID: 1002961|
SecurityTracker URL: http://securitytracker.com/id/1002961
(Links to External Site)
Date: Dec 13 2001
Denial of service via local system|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): prior to 4.1.0|
A buffer overflow vulnerability was reported in XFree86 that may be exploitable by certain applications.|
A user reports that K Desktop can be made to crash the X Server. A local user can use the Konqueror web browser with a long input in a search box. When the search is submitted, the X Server will crash. However, the vulnerability lies in XFree86 and not the KDE utilities. The vulnerability is reportedly in the file /xf86/xc/programs/Xserver/fb/fbglyph.c.
A local user can crash the X server. Other applications that use XFree86 may provide alternate exploit paths.|
The flaw has been fixed in version 4.1.0, available from the Vendor URL.|
Vendor URL: www.xfree86.org/security/ (Links to External Site)
Linux (Any), UNIX (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Date: Fri, 7 Dec 2001 21:26:53 +0000|
Subject: Crashing X
I have discovered a little bug in K Desktop 2.1.2 that crashes your X Server.
By using the konqueror web browser and inputting around 9000+ A's (or
whatever) into a search box (for instance www.yahoo.com's web search box) -
this will crash your X environment.
I have successfully done it using 9000 A's on one search box (crashing X
instantly), then I used 90'000 and it also worked - but without immediate
effect (took a few seconds).
It also sometimes seems to work by just pasting 900000 A's into a search box
and before it even displays the A's X crashes. (note: If you want it to
display the A's before X crashes paste 9000, then as soon as you click to
start the search - its bye bye X).
Sorry but I can only test it on KDE 2.1.2, because I have no other systems
available right now.
By the way:
[smackenz@mainframe smackenz]$ uname -a
Linux mainframe 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown
(this works in Gnome and KDE using with the konqueror web browser)
To test simply use a shell and type:
perl -e 'print "A" x 9000'
Then copy these, and paste them into a search form.
Also I tried this in netscape and it didn't work so it suggests its a
konqueror error somewhere or other.