(Immunix Issues Fix) XFree86 Font Information File Buffer Overflow Lets Local Users Gain Root Privileges
|
|
SecurityTracker Alert ID: 1009053 |
|
SecurityTracker URL: http://securitytracker.com/id/1009053
|
|
CVE Reference:
CAN-2004-0083
(Links to External Site)
|
Date: Feb 14 2004
|
Impact:
Execution of arbitrary code via local system, Root access via local system
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 4.3.99.903 Release Candidate
|
Description:
iDEFENSE reported a buffer overflow vulnerability in XFree in the parsing of the 'font.alias' file. A local user can gain root privileges on the target system.
It is reported that the X server does not validate the length of user-supplied input from the 'font.alias' file. A local user can create a specially crafted file that will trigger a buffer overflow when the X server parses the file. Arbitrary code can be executed with root privileges, according to the report.
The flaw reportedly resides in the 'xc/lib/font/fontfile/dirfile.c' file in the ReadFontAlias() function, where user-supplied input may overflow a fixed length buffer of MAXFONTNAMELEN (1024) characters.
The original iDEFENSE advisory is available at:
http://www.idefense.com/application/poi/display?id=72
The following notification timeline is provided:
February 3, 2004 Vendor notified
February 10, 2004 Public disclosure
|
Impact:
A local user can execute arbitrary code with root privileges.
|
Solution:
Immunix has released a fix for Immunix 7.3, available at: http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-100dpi-fonts-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-75dpi-fonts-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-ISO8859-15-100dpi-fonts-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-ISO8859-15-75dpi-fonts-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-ISO8859-2-100dpi-fonts-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-ISO8859-2-75dpi-fonts-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-ISO8859-9-100dpi-fonts-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-ISO8859-9-75dpi-fonts-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-Xnest-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-Xvfb-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-base-fonts-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-cyrillic-fonts-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-devel-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-doc-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-font-utils-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-libs-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-tools-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-truetype-fonts-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-twm-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-xdm-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-xf86cfg-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-xfs-4.2.1-13.73.23_imnx_2.i386.rpm
Source packages for Immunix 7.3 are available at:
http://download.immunix.org/ImmunixOS/7.3/Updates/SRPMS/XFree86-4.2.1-13.73.23_imnx_2.src.rpm
The Immunix OS 7.3 md5sums:
4ce0720899ed71eaa9ccf762ed91d63f RPMS/XFree86-100dpi-fonts-4.2.1-13.73.23_imnx_2.i386.rpm
fc9454ef6093155b394ffd277ed6e690 RPMS/XFree86-4.2.1-13.73.23_imnx_2.i386.rpm
8dc075d66836d32d8f2f59441eb352cc RPMS/XFree86-75dpi-fonts-4.2.1-13.73.23_imnx_2.i386.rpm
255132bacc53054618579bad4174de8b RPMS/XFree86-ISO8859-15-100dpi-fonts-4.2.1-13.73.23_imnx_2.i386.rpm
ac4aee7f3ac570eeb34df940d0390a7c RPMS/XFree86-ISO8859-15-75dpi-fonts-4.2.1-13.73.23_imnx_2.i386.rpm
2a00dd0b8478af96a2494b8f861fe8be RPMS/XFree86-ISO8859-2-100dpi-fonts-4.2.1-13.73.23_imnx_2.i386.rpm
fdf21bdffa7a6eb806ae91eaa90ff140 RPMS/XFree86-ISO8859-2-75dpi-fonts-4.2.1-13.73.23_imnx_2.i386.rpm
7e9b97c42fa0dbb5c2ada01c9b918aa7 RPMS/XFree86-ISO8859-9-100dpi-fonts-4.2.1-13.73.23_imnx_2.i386.rpm
b99d9129e75999a8f27e048de02fa596 RPMS/XFree86-ISO8859-9-75dpi-fonts-4.2.1-13.73.23_imnx_2.i386.rpm
5e39a2f95d8aa763a9147c439f311a39 RPMS/XFree86-Xnest-4.2.1-13.73.23_imnx_2.i386.rpm
1f31ac8f8dace2d74a29d11f7e131162 RPMS/XFree86-Xvfb-4.2.1-13.73.23_imnx_2.i386.rpm
fee0fd253130c6667dfd8469a05ccb18 RPMS/XFree86-base-fonts-4.2.1-13.73.23_imnx_2.i386.rpm
6f0524ea7c222b0a2824f622b0fd008e RPMS/XFree86-cyrillic-fonts-4.2.1-13.73.23_imnx_2.i386.rpm
b683d1468d4e2d288926e31b988d06ff RPMS/XFree86-devel-4.2.1-13.73.23_imnx_2.i386.rpm
c354336c26bdd2f35553c64634f2804e RPMS/XFree86-doc-4.2.1-13.73.23_imnx_2.i386.rpm
cf6380fd0e5c0006569fd3bdea24fb51 RPMS/XFree86-font-utils-4.2.1-13.73.23_imnx_2.i386.rpm
2e0136d6b8c6d9fbef8111dd52f59004 RPMS/XFree86-libs-4.2.1-13.73.23_imnx_2.i386.rpm
3199457f2feeba2f794f4d0c3536371f RPMS/XFree86-tools-4.2.1-13.73.23_imnx_2.i386.rpm
07cb4a6c4498c5cc761e80ad953391f4 RPMS/XFree86-truetype-fonts-4.2.1-13.73.23_imnx_2.i386.rpm
be6f5dfa8ef80df76bffdae11fc3f2de RPMS/XFree86-twm-4.2.1-13.73.23_imnx_2.i386.rpm
ba82ddab4f3ab5444e7948d67a456b99 RPMS/XFree86-xdm-4.2.1-13.73.23_imnx_2.i386.rpm
172746c34007862f709ce158f3aee4db RPMS/XFree86-xf86cfg-4.2.1-13.73.23_imnx_2.i386.rpm
aff205b03f1979b63b4da99b960485eb RPMS/XFree86-xfs-4.2.1-13.73.23_imnx_2.i386.rpm
6db108f170672ea6143bf9774734b96a SRPMS/XFree86-4.2.1-13.73.23_imnx_2.src.rpm
|
Vendor URL: www.xfree86.org/security/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Immunix)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Thu, 12 Feb 2004 21:17:47 -0800
Subject: [Immunix-announce] Immunix Secured OS 7.3 XFree86 update
|
--===============0266994492==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="0OAP2g/MAC+5xKAE"
Content-Disposition: inline
--0OAP2g/MAC+5xKAE
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
-----------------------------------------------------------------------
Immunix Secured OS Security Advisory
Packages updated: XFree86
Affected products: Immunix OS 7.3
Bugs fixed: CAN-2004-0083, CAN-2004-0084, CAN-2004-0106
Date: Thu Feb 12 2004
Advisory ID: IMNX-2004-73-002-01
Author: Seth Arnold <sarnold@immunix.com>
-----------------------------------------------------------------------
Description:
Greg MacManus, of iDEFENSE Labs, reports finding several potentially
exploitable buffer overflows in XFree86's font code. David Dawes
provided a patch to fix these, and other, errors. Thanks also to
Patrick Volkerding for working with the patch, to allow it to more
easily apply to our version of XFree86.
As the overflowed buffers are auto variables and the functions
manipulating the buffers are string operations, StackGuard will prevent
successful exploitation of this vulnerability to gain new privileges;
however, StackGuard will kill any process that attempts to execute
exploit code. We recommend all our users upgrade to fixed packages,
which will prevent this denial of service attack.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2004-0083
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2004-0084
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2004-0106
http://www.idefense.com/application/poi/display?id=3D72
http://www.idefense.com/application/poi/display?id=3D73
Immunix 7.3 users may use our up2date service to install fixed=20
packages: you may run either "up2date" within X, and follow the
directions, or run "up2date -u" to ensure your system is current.
Package names and locations:
Precompiled binary packages for Immunix 7.3 are available at:
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-100dpi-fon=
ts-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-4.2.1-13.7=
3.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-75dpi-font=
s-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-ISO8859-15=
-100dpi-fonts-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-ISO8859-15=
-75dpi-fonts-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-ISO8859-2-=
100dpi-fonts-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-ISO8859-2-=
75dpi-fonts-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-ISO8859-9-=
100dpi-fonts-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-ISO8859-9-=
75dpi-fonts-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-Xnest-4.2.=
1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-Xvfb-4.2.1=
-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-base-fonts=
-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-cyrillic-f=
onts-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-devel-4.2.=
1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-doc-4.2.1-=
13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-font-utils=
-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-libs-4.2.1=
-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-tools-4.2.=
1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-truetype-f=
onts-4.2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-twm-4.2.1-=
13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-xdm-4.2.1-=
13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-xf86cfg-4.=
2.1-13.73.23_imnx_2.i386.rpm
http://download.immunix.org/ImmunixOS/7.3/Updates/RPMS/XFree86-xfs-4.2.1-=
13.73.23_imnx_2.i386.rpm
Source packages for Immunix 7.3 are available at:
http://download.immunix.org/ImmunixOS/7.3/Updates/SRPMS/XFree86-4.2.1-13.=
73.23_imnx_2.src.rpm
Immunix OS 7.3 md5sums:
4ce0720899ed71eaa9ccf762ed91d63f RPMS/XFree86-100dpi-fonts-4.2.1-13.73.2=
3_imnx_2.i386.rpm
fc9454ef6093155b394ffd277ed6e690 RPMS/XFree86-4.2.1-13.73.23_imnx_2.i386=
.rpm
8dc075d66836d32d8f2f59441eb352cc RPMS/XFree86-75dpi-fonts-4.2.1-13.73.23=
_imnx_2.i386.rpm
255132bacc53054618579bad4174de8b RPMS/XFree86-ISO8859-15-100dpi-fonts-4.=
2.1-13.73.23_imnx_2.i386.rpm
ac4aee7f3ac570eeb34df940d0390a7c RPMS/XFree86-ISO8859-15-75dpi-fonts-4.2=
.1-13.73.23_imnx_2.i386.rpm
2a00dd0b8478af96a2494b8f861fe8be RPMS/XFree86-ISO8859-2-100dpi-fonts-4.2=
.1-13.73.23_imnx_2.i386.rpm
fdf21bdffa7a6eb806ae91eaa90ff140 RPMS/XFree86-ISO8859-2-75dpi-fonts-4.2.=
1-13.73.23_imnx_2.i386.rpm
7e9b97c42fa0dbb5c2ada01c9b918aa7 RPMS/XFree86-ISO8859-9-100dpi-fonts-4.2=
.1-13.73.23_imnx_2.i386.rpm
b99d9129e75999a8f27e048de02fa596 RPMS/XFree86-ISO8859-9-75dpi-fonts-4.2.=
1-13.73.23_imnx_2.i386.rpm
5e39a2f95d8aa763a9147c439f311a39 RPMS/XFree86-Xnest-4.2.1-13.73.23_imnx_=
2.i386.rpm
1f31ac8f8dace2d74a29d11f7e131162 RPMS/XFree86-Xvfb-4.2.1-13.73.23_imnx_2=
.i386.rpm
fee0fd253130c6667dfd8469a05ccb18 RPMS/XFree86-base-fonts-4.2.1-13.73.23_=
imnx_2.i386.rpm
6f0524ea7c222b0a2824f622b0fd008e RPMS/XFree86-cyrillic-fonts-4.2.1-13.73=
.23_imnx_2.i386.rpm
b683d1468d4e2d288926e31b988d06ff RPMS/XFree86-devel-4.2.1-13.73.23_imnx_=
2.i386.rpm
c354336c26bdd2f35553c64634f2804e RPMS/XFree86-doc-4.2.1-13.73.23_imnx_2.=
i386.rpm
cf6380fd0e5c0006569fd3bdea24fb51 RPMS/XFree86-font-utils-4.2.1-13.73.23_=
imnx_2.i386.rpm
2e0136d6b8c6d9fbef8111dd52f59004 RPMS/XFree86-libs-4.2.1-13.73.23_imnx_2=
.i386.rpm
3199457f2feeba2f794f4d0c3536371f RPMS/XFree86-tools-4.2.1-13.73.23_imnx_=
2.i386.rpm
07cb4a6c4498c5cc761e80ad953391f4 RPMS/XFree86-truetype-fonts-4.2.1-13.73=
.23_imnx_2.i386.rpm
be6f5dfa8ef80df76bffdae11fc3f2de RPMS/XFree86-twm-4.2.1-13.73.23_imnx_2.=
i386.rpm
ba82ddab4f3ab5444e7948d67a456b99 RPMS/XFree86-xdm-4.2.1-13.73.23_imnx_2.=
i386.rpm
172746c34007862f709ce158f3aee4db RPMS/XFree86-xf86cfg-4.2.1-13.73.23_imn=
x_2.i386.rpm
aff205b03f1979b63b4da99b960485eb RPMS/XFree86-xfs-4.2.1-13.73.23_imnx_2.=
i386.rpm
6db108f170672ea6143bf9774734b96a SRPMS/XFree86-4.2.1-13.73.23_imnx_2.src=
.rpm
GPG verification: =
=20
Our public keys are available at http://download.immunix.org/GPG_KEY
Immunix, Inc., has changed policy with GPG keys. We maintain several
keys now: C53B2B53 for Immunix 7+ package signing, D3BA6C17 for
Immunix 7.3 package signing, and 1B7456DA for general security issues.
NOTE:
Ibiblio is graciously mirroring our updates, so if the links above are
slow, please try:
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
or one of the many mirrors available at:
http://www.ibiblio.org/pub/Linux/MIRRORS.html
ImmunixOS 7.3 will not be officially supported after March 31 2005.
ImmunixOS 7+ will not be officially supported after March 1 2004.
ImmunixOS 7.0 is no longer officially supported.
ImmunixOS 6.2 is no longer officially supported.
Contact information:
To report vulnerabilities, please contact security@immunix.com.
Immunix attempts to conform to the RFP vulnerability disclosure protocol
http://www.wiretrip.net/rfp/policy.html.
--0OAP2g/MAC+5xKAE
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFALF35n5I6Lxt0VtoRAr/4AKDwuTtJ9NRvmr6nWw9KgZANW7T8IQCgijw/
JG8clZ7lUl5lfR4MIy86+V4=
=cu+K
-----END PGP SIGNATURE-----
--0OAP2g/MAC+5xKAE--
--===============0266994492==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
Immunix-announce mailing list
Immunix-announce@wirex.com
http://mail.wirex.com/mailman/listinfo/immunix-announce
--===============0266994492==--
|
|
