XFree86 Font Information File CopyISOLatin1Lowered() Buffer Overflow Lets Local Users Gain Root Privileges
SecurityTracker Alert ID: 1009031|
SecurityTracker URL: http://securitytracker.com/id/1009031
(Links to External Site)
Updated: Feb 16 2004|
Original Entry Date: Feb 12 2004
Execution of arbitrary code via local system, Root access via local system|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): Confirmed in 4.1.0 - 4.3.0; Prior to 126.96.36.1993 Release Candidate|
iDEFENSE reported another buffer overflow vulnerability in XFree in the parsing of the 'font.alias' file, this time residing in the CopyISOLatin1Lowered() function. A local user can gain root privileges on the target system.|
It is reported that when the ReadFontAlias() function parses a 'font.alias' file, user-supplied input may overflow a fixed length buffer of MAXFONTNAMELEN*2 (2048) characters. The flaw reportedly resides in the processing of the 'font_name' buffer in the CopyISOLatin1Lowered() function.
A local user can create a specially crafted file that will trigger a buffer overflow when the X server parses the file. Arbitrary code can be executed with root privileges, according to the report.
The vendor was reportedly notified on February 9, 2004.
The original advisory is available at:
[Editor's note: This flaw is related to but separate from the XFree86 font file vulnerability recently reported in Alert ID 1008991.]
A local user can execute arbitrary code with root privileges.|
A patch is available at:|
A fix is available at:
Vendor URL: www.xfree86.org/security (Links to External Site)
Linux (Any), UNIX (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Date: Thu, 12 Feb 2004 13:01:25 -0500|
Subject: iDEFENSE Security Advisory 02.11.04: XFree86 Font Information File
iDEFENSE Security Advisory 02.11.04:
XFree86 Font Information File Buffer Overflow II
February 12, 2004
In short, XFree86 is an open source X11-based desktop infrastructure.
XFree86, provides a client/server interface between display hardware
(the mouse, keyboard, and video displays) and the desktop environment
while also providing both the windowing infrastructure and a
standardized application interface (API). XFree86 is platform
independent, network-transparent and extensible.
Exploitation of a buffer overflow in The XFree86 Project Inc.'s XFree86
X Window System allows local attackers to gain root privileges.
The vulnerability specifically exists in the use of the
CopyISOLatin1Lowered() function with the 'font_name' buffer. While
parsing a 'font.alias' file, the ReadFontAlias() function uses the
length of the input string as the limit for the copy, instead of the
size of the storage buffer. A malicious user may craft a malformed
'font.alias' file, causing a buffer overflow upon parsing and eventually
leading to the execution of arbitrary code.
To reproduce the overflow on the command line:
# cat > fonts.dir <<EOF
# perl -e 'print "data " . "0" x 2048 . "A" x 96 . "\n"' > fonts.alias
# X :0 -fp $PWD
In the function below, if lexToken is longer than MAXFONTNAMELEN*2
(2048 chars), an overflow occurs.
CopyISOLatin1Lowered(font_name, lexToken, strlen(lexToken));
This is a related issue to that discussed in the iDEFENSE report
"XFree86 Font Information File Buffer Overflow"
Successful exploitation requires that an attacker be able to execute
commands in the X11 subsystem. This can be done either by having console
access to the target or through a remote exploit against any X client
program such as a web-browser, mail-reader or game. Successful
exploitation yields root access.
iDEFENSE has confirmed the existence of this vulnerability in XFree86
versions 4.1.0 to the current version 4.3.0. It is suspected that
earlier versions are vulnerable as well.
V. VENDOR RESPONSE
The patch for the problem is at
it is applicable to all affected XFree86 versions.
VI. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned CAN-2004-0084 to this issue.
VII. DISCLOSURE TIMELINE
February 9, 2004 Exploit acquired by iDEFENSE
February 9, 2004 Initial vendor notification
February 9, 2004 Response received from David Dawes at XFree86.org
February 10, 2004 iDEFENSE Clients notified
February 12, 2004 Public disclosure
Greg MacManus (iDEFENSE Labs) is credited with this discovery.