SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   XFree Vendors:   XFree86 Project
(NetBSD Issues Fix) Re: XFree86 Font Library Integer Overflows May Allow Remote Access And Local Privilege Elevation
SecurityTracker Alert ID:  1007912
SecurityTracker URL:  http://securitytracker.com/id/1007912
CVE Reference:   CVE-2003-0730   (Links to External Site)
Date:  Oct 9 2003
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.3.0
Description:   Several vulnerabilities were reported in the XFree86 font libraries. A remote user can execute arbitrary code. A local user may be able to exploit Xserver to execute arbitrary code with root privileges.

It is reported that a remote user may be able to exploit these flaws in the font libraries via an application that uses the libraries. The exact impact depends on how the application uses the libraries.

According to the report, the vulnerabilities are due to integer overflows that may occur in the transfer and enumeration of fonts from font servers to clients.

The report indicates that in certain configurations where xfs and Xserver act as clients, a remote user can execute arbitrary code on those systems.

In addition, a local user can modify the Xserver configuration to cause the Xserver to load a font from a malicious font server, resulting in the execution of arbitrary code. Because Xserver is reportedly configured with set user id (setuid) root privileges, a local user can thus obtain root privileges.

Impact:   A remote user may be able to execute arbitrary code. The exact impact depends on the applications that use the affected font libraries.

A local user may be able to cause Xserver to execute arbitrary code with root privileges.

Solution:   NetBSD has issued a fix.

For NetBSD (all versions):

Systems running NetBSD with X dated from before 2003-08-30 should be upgraded to NetBSD with X dated 2003-08-31 or later.

Unlike the main NetBSD source tree (src), xsrc is not branched based on NetBSD versions.

The following directories need to be updated from the netbsd CVS:
xsrc/xc/lib/font/fc
xsrc/xc/lib/FS
xsrc/xfree/xc/lib/font/fc
xsrc/xfree/xc/lib/FS


To update from CVS, re-build, and re-install X:
# cd xsrc
# cvs update -d -P xc/lib/font/fc xc/lib/FS \
xfree/xc/lib/font/fc xfree/xc/lib/FS

# make build

(The 'build' target performs installation as well as compilation)

Vendor URL:  www.xfree.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (NetBSD)
Underlying OS Comments:  1.6.1 and prior versions

Message History:   This archive entry is a follow-up to the message listed below.
Aug 31 2003 XFree86 Font Library Integer Overflows May Allow Remote Access And Local Privilege Elevation



 Source Message Contents

Subject:  NetBSD Security Advisory 2003-015: Remote and local vulnerabilities in XFree86 font libraries




-----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2003-015
		 =================================

Topic:		Remote and local vulnerabilities in XFree86 font libraries

Version:	NetBSD-current:	source prior to August 31, 2003
		NetBSD 1.6.1:	affected
		NetBSD 1.6:	affected
		NetBSD-1.5.3:	affected
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected

Severity:	High, for systems running an X server.

Fixed:		NetBSD-current:		August 31, 2003
		(xsrc is not branched by NetBSD release)


Abstract
========

There is an integer overflow in the XFree86 font libraries, which could lead to
potential privilege escalation and/or remote code execution.


Technical Details
=================

http://www.securityfocus.com/archive/1/335592

As seen in this advisory, the exact details of these issues have not been
shared.


Solutions and Workarounds
=========================

Workaround (proposed in the XFree86 advisory):

Ensure that neither xfs nor the X server include untrusted font servers in
their font search paths.  Xfs is not started by default in NetBSD and the
X server contains only directories under /usr/X11R6/lib/X11/fonts in its
font path.

To prevent the local privilege escalation problem, remove the suid bit from the
Xserver binary.  This will mean that only root can start the X server.

        chmod u-s /usr/X11R6/bin/XFree86

Please note that removing the suid bit will NOT prevent a compromise due to
malicious fonts.

Fix:

The following instructions describe how to upgrade your X
binaries by updating your source tree and rebuilding and
installing a new version of X.

* NetBSD (all versions):

	Systems running NetBSD with X dated from before 2003-08-30
	should be upgraded to NetBSD with X dated 2003-08-31 or later.

	Unlike the main NetBSD source tree (src), xsrc is not branched
	based on NetBSD versions.

	The following directories need to be updated from the netbsd CVS:
		xsrc/xc/lib/font/fc
		xsrc/xc/lib/FS
		xsrc/xfree/xc/lib/font/fc
		xsrc/xfree/xc/lib/FS


	To update from CVS, re-build, and re-install X:
		# cd xsrc
		# cvs update -d -P xc/lib/font/fc xc/lib/FS \
			xfree/xc/lib/font/fc xfree/xc/lib/FS

		# make build

(The 'build' target performs installation as well as compilation)


Thanks To
=========

Matthias Scheler


Revision History
================

	2003-10-09	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2003-015.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2003, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2003-015.txt,v 1.4 2003/10/09 03:30:14 groo Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBP4V/2j5Ru2/4N2IFAQGksgQAgDjq8uINDBkHiA+xou+YcQjpQf5JGxCB
JPxjNJQx7Huh5ysfzML353uQ/Xp7qmDzTen6rfbgucX/glWH4vOeBoDcFuDi0jbj
WId1u2gsV87lFuMD365r6ZPnD1UikQuU5+0L2QQto9yXwSWsiUZvTW3/e2EKexAc
c4vKGBzp4Rc=
=UbHb
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC