Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   libXfont Vendors:
(NetBSD Issues Fix) libXfont BDF Font File Stack Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1029564
SecurityTracker URL:
CVE Reference:   CVE-2013-6462   (Links to External Site)
Date:  Jan 8 2014
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in libXfont. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create a specially crafted BDF font file that, when processed by libXfont, will trigger a stack overflow and execute arbitrary code on the target system. The code may run with root privileges.

The vulnerability resides in 'lib/libXfont/src/bitmap/bdfread.c'.

Impact:   A remote user can create a file that, when loaded by the target application, will execute arbitrary code on the target system.
Solution:   NetBSD has issued a fix.

The NetBSD advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (NetBSD)
Underlying OS Comments:  5.1, 5.2, 6.0, 6.1

Message History:   This archive entry is a follow-up to the message listed below.
Jan 7 2014 libXfont BDF Font File Stack Overflow Lets Remote Users Execute Arbitrary Code

 Source Message Contents

Subject:  NetBSD Security Advisory 2014-001: Stack buffer overflow in libXfont

Hash: SHA1

		NetBSD Security Advisory 2014-001

Topic:		Stack buffer overflow in libXfont

Version:	NetBSD-current:		source prior to Tue 7th, 2014
		NetBSD 6.1:		affected
		NetBSD 6.0 - 6.0.2:	affected
		NetBSD 5.1 - 5.1.2:	affected
		NetBSD 5.2:		affected

Severity:	privilege escalation

Fixed:		NetBSD-current:		Tue 7th, 2014
		NetBSD-6-0 branch:	Tue 7th, 2014
		NetBSD-6-1 branch:	Tue 7th, 2014
		NetBSD-6 branch:	Tue 7th, 2014
		NetBSD-5-2 branch:	Tue 7th, 2014
		NetBSD-5-1 branch:	Tue 7th, 2014
		NetBSD-5 branch:	Tue 7th, 2014

Teeny versions released later than the fix date will contain the fix.

Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.


A stack buffer overflow in parsing of BDF font files in libXfont was
found that can easily be used to crash X programs using libXfont,
and likely could be exploited to run code with the privileges of
the X program (most nostably, the X server, commonly running as root).

This vulnerability has been assigned CVE-2013-6462

Technical Details

- From the advisory:

Scanning of the libXfont sources with the cppcheck static analyzer
included a report of:

   [lib/libXfont/src/bitmap/bdfread.c:341]: (warning)
       scanf without field width limits can crash with huge input data.

Evaluation of this report by X.Org developers concluded that a BDF font
file containing a longer than expected string could overflow the buffer
on the stack.  Testing in X servers built with Stack Protector resulted
in an immediate crash when reading a user-provided specially crafted font.

As libXfont is used to read user-specified font files in all X servers
distributed by X.Org, including the Xorg server which is often run with
root privileges or as setuid-root in order to access hardware, this bug
may lead to an unprivileged user acquiring root privileges in some systems.

This bug appears to have been introduced in the initial RCS version 1.1
checked in on 1991/05/10, and is thus believed to be present in every X11
release starting with X11R5 up to the current libXfont 1.4.6.
(Manual inspection shows it is present in the sources from the X11R5
  tarballs, but not in those from the X11R4 tarballs.)

Solutions and Workarounds

Workaround: restrict access to the X server.

Solutions: a fix is included in the following versions:

xorg: xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c
HEAD		1.3

xfree: xsrc/xfree/xc/lib/font/bitmap/bdfread.c
HEAD		1.4

To obtain fixed binaries, fetch the appropriate xbase.tgz from a daily
build later than the fix dates, i.e.<rel>/<date>/<arch>/binary/sets/xbase.tgz
with a date 20140108* or larger, and your release version and architecture,
and then extract the libXfont shared library files:

for environments, netbsd-6* and HEAD:
cd / && tar xzpf /path/to/xbase.tgz ./usr/X11R7/lib/     \
                                    ./usr/X11R7/lib/   \

for environments and netbsd-5*:
cd / && tar xzpf /path/to/xbase.tgz ./usr/X11R7/lib/     \
                                    ./usr/X11R7/lib/   \

and for xfree environments:
cd / && tar xzpf /path/to/xbase.tgz ./usr/X11R6/lib/     \
                                    ./usr/X11R6/lib/   \

To build from source, update bdfread.c to the appropriate version and then
"./ -x" from the top of the src tree.

Thanks To

X.Org thanks the authors of the cppcheck tool for making their static
analyzer available as an open source project we can all benefit from.

NetBSD would like to thank for looking for and fixing this

Revision History

	2014-01-07	Initial release

More Information

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

Information about NetBSD and NetBSD security can be found at and .

Copyright 2014, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2014-001.txt,v 1.2 2014/01/07 21:04:33 tonnerre Exp $

Version: GnuPG v1.4.15 (NetBSD)


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC