SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   X Vendors:   X.org
X Buffer Overflow in Processing CID-encoded Type1 Fonts Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1016828
SecurityTracker URL:  http://securitytracker.com/id/1016828
CVE Reference:   CVE-2006-3739, CVE-2006-3740   (Links to External Site)
Updated:  Sep 13 2006
Original Entry Date:  Sep 12 2006
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 7.1 and prior versions
Description:   A vulnerability was reported in X. A remote authenticated user can execute arbitrary code on the target system.

The software does not properly validate data when parsing CID-encoded Type1 fonts. A remote authenticated user with the ability to set the X server font path can set the path to point to a specially crafted font to trigger an integer overflow in the "type1" module and execute arbitrary code on the target system.

The scan_cidfont() function in 'Type1/scanfont.c' is affected [CVE-2006-3739]. The CIDADM() function in 'Type1/afm.c' is affected [CVE-2006-3740].

The vendor credits iDefense with reporting these vulnerabilities.

Impact:   A remote authenticated user can execute arbitrary code on the target system.
Solution:   The vendor has issued a fixed version (libXfont 1.2.1).

The following patches for earlier versions are available.

For earlier versions, apply one of the following patches:

X.Org 6.8.2

<http://xorg.freedesktop.org/releases/X11R6.8.2/patches/>
3943de39723099857403a50bea2b4408 xorg-68x-cidfonts.patch
1ff2c998453e233f9278be76ccb8a827cabbb067 xorg-68x-cidfonts.patch

X.Org 6.9.0

<http://xorg.freedesktop.org/releases/X11R6.9.0/patches/>
MD5: 7c0c53f1c7ffd97b429eda1eefdff9cb x11r6.9.0-cidfonts.diff
SHA1: bdb3b086e18fa1ee81020fa6a0657f097db7d037 x11r6.9.0-cidfonts.diff

X.Org 7.0 - libXfont 1.0.0

<http://xorg.freedesktop.org/releases/X11R7.0/patches/>
MD5: 8bcbe12444326fab69f8a899c78519ea libXfont-1.0.0-cidfonts.diff
SHA1: b0778179be6a52c5f10ddbb7cd349c06c3c8bd2d libXfont-1.0.0-cidfonts.diff

X.Org 7.1 - libXfont 1.1.0

<http://xorg.freedesktop.org/releases/X11R7.1/patches/>
MD5: 8bcbe12444326fab69f8a899c78519ea libXfont-1.1.0-cidfonts.diff
SHA1: b0778179be6a52c5f10ddbb7cd349c06c3c8bd2d libXfont-1.1.0-cidfonts.diff

Vendor URL:  www.x.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 13 2006 (Red Hat Issues Fix) X Buffer Overflow in Processing CID-encoded Type1 Fonts Lets Remote Users Execute Arbitrary Code   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 4.
Sep 13 2006 (Red Hat Issues Fix for XFree86) X Buffer Overflow in Processing CID-encoded Type1 Fonts Lets Remote Users Execute Arbitrary Code   (bugzilla@redhat.com)
Red Hat has released a fix for XFree86 for Red Hat Enterprise Linux 2.1 and 3.
Sep 22 2006 (NetBSD Issues Fix) X Buffer Overflow in Processing CID-encoded Type1 Fonts Lets Remote Users Execute Arbitrary Code   (NetBSD Security-Officer <security-officer@NetBSD.org>)
NetBSD has released a fix.
Mar 30 2007 (VMware Issues Fix for ESX Server) X Buffer Overflow in Processing CID-encoded Type1 Fonts Lets Remote Users Execute Arbitrary Code   (VMware Security team <security@vmware.com>)
VMware has issued a fix for VMware ESX Server.



 Source Message Contents

Date:  Tue Sep 12 07:12:23 PDT 2006
Subject:  X.Org Security Advisory: Type1 CID fonts


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

X.Org Security Advisory, September 12, 2006
Integer overflows in handling CID encoded Type1 fonts
CVE-ID: 2006-3739, 2006-3740

Overview

It may be possible for a user with the ability to set the X server
font path, by making it point to a malicious font, to cause
arbitrary code execution or denial of service on the X server.

Vulnerability details

The lack of validation of input data while parsing CID encoded Type1
fonts in the "type1" module may cause some integer overflows while
computing the size of allocated data buffers when parsing a
font. Arbitrary code embedded in the malicious font can then be
executed by the X server.

To exploit these vulnerabilities, the ability to connect to the X server
in order to execute 'xset fp+' or the equivalent is required.

CVE-ID 2006-3740 describes a vulnerability in the scan_cidfont()
function in Type1/scanfont.c, while CVE ID 2006-3739 describes similar
problems in the CIDADM() function in Type1/afm.c.

Affected versions

All X servers using the "type1" font module with CID font support are
vulnerable to this issue. This includes all X.Org versions from 6.7.0
to 7.1 inclusive. Older versions are not supported by X.Org.

Workaround

If no CID-encoded Type 1 fonts are used, the "type1" module can be
disabled and replaced by the "freetype" module in /etc/X11/xorg.conf.
The freetype module is able to use Type1 fonts with standard (non CID)
encoding as well as True Type fonts.

Also, systems with memory address space randomization are less likely
to be successfully compromised, as the most effective way to exploit
these vulnerabilities rely on fixed address space.

Fix

These issues have been fixed in libXfont 1.2.1

For earlier versions, apply one of the following patches:

X.Org 6.8.2

<http://xorg.freedesktop.org/releases/X11R6.8.2/patches/>
3943de39723099857403a50bea2b4408  xorg-68x-cidfonts.patch
1ff2c998453e233f9278be76ccb8a827cabbb067  xorg-68x-cidfonts.patch

X.Org 6.9.0

<http://xorg.freedesktop.org/releases/X11R6.9.0/patches/>
MD5: 7c0c53f1c7ffd97b429eda1eefdff9cb  x11r6.9.0-cidfonts.diff
SHA1: bdb3b086e18fa1ee81020fa6a0657f097db7d037  x11r6.9.0-cidfonts.diff

X.Org 7.0 - libXfont 1.0.0

<http://xorg.freedesktop.org/releases/X11R7.0/patches/>
MD5: 8bcbe12444326fab69f8a899c78519ea  libXfont-1.0.0-cidfonts.diff
SHA1: b0778179be6a52c5f10ddbb7cd349c06c3c8bd2d  libXfont-1.0.0-cidfonts.diff

X.Org 7.1 - libXfont 1.1.0

<http://xorg.freedesktop.org/releases/X11R7.1/patches/>
MD5: 8bcbe12444326fab69f8a899c78519ea  libXfont-1.1.0-cidfonts.diff
SHA1: b0778179be6a52c5f10ddbb7cd349c06c3c8bd2d  libXfont-1.1.0-cidfonts.diff

Thanks

These vulnerabilities were reported to the X.Org Foundation by
iDefense (IDEF1691 and IDEF1751).
- --
Matthieu Herrb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iQCVAwUBRQbAR3KGCS6JWssnAQIQYwP/Vf21yp8bqTW03lwdaBqeNovDk/o9PJDZ
eEnfwwmjU1Y/hm478UCfarMLnLulxk3dOm5miDEawGtDp1uOC2oXdFKgAB+hyV0d
BQnDP5Ydy9GSOKg1Rttl3E9h5m3h0dKkRgR7TjLj95DZAy3Avbicqn622zL4OXFk
kfdC39Vmqlk=
=UOg5
-----END PGP SIGNATURE-----
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC