SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   libXfont Vendors:   X.org
(NetBSD Issues Fix) libXfont BDF Font File Stack Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1029564
SecurityTracker URL:  http://securitytracker.com/id/1029564
CVE Reference:   CVE-2013-6462   (Links to External Site)
Date:  Jan 8 2014
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in libXfont. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create a specially crafted BDF font file that, when processed by libXfont, will trigger a stack overflow and execute arbitrary code on the target system. The code may run with root privileges.

The vulnerability resides in 'lib/libXfont/src/bitmap/bdfread.c'.

Impact:   A remote user can create a file that, when loaded by the target application, will execute arbitrary code on the target system.
Solution:   NetBSD has issued a fix.

The NetBSD advisory is available at:

http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-001.txt.asc

Vendor URL:  x.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (NetBSD)
Underlying OS Comments:  5.1, 5.2, 6.0, 6.1

Message History:   This archive entry is a follow-up to the message listed below.
Jan 7 2014 libXfont BDF Font File Stack Overflow Lets Remote Users Execute Arbitrary Code



 Source Message Contents

Subject:  NetBSD Security Advisory 2014-001: Stack buffer overflow in libXfont

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		NetBSD Security Advisory 2014-001
		=================================

Topic:		Stack buffer overflow in libXfont


Version:	NetBSD-current:		source prior to Tue 7th, 2014
		NetBSD 6.1:		affected
		NetBSD 6.0 - 6.0.2:	affected
		NetBSD 5.1 - 5.1.2:	affected
		NetBSD 5.2:		affected

Severity:	privilege escalation

Fixed:		NetBSD-current:		Tue 7th, 2014
		NetBSD-6-0 branch:	Tue 7th, 2014
		NetBSD-6-1 branch:	Tue 7th, 2014
		NetBSD-6 branch:	Tue 7th, 2014
		NetBSD-5-2 branch:	Tue 7th, 2014
		NetBSD-5-1 branch:	Tue 7th, 2014
		NetBSD-5 branch:	Tue 7th, 2014

Teeny versions released later than the fix date will contain the fix.

Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

A stack buffer overflow in parsing of BDF font files in libXfont was
found that can easily be used to crash X programs using libXfont,
and likely could be exploited to run code with the privileges of
the X program (most nostably, the X server, commonly running as root).

This vulnerability has been assigned CVE-2013-6462


Technical Details
=================

- From the X.org advisory:

Scanning of the libXfont sources with the cppcheck static analyzer
included a report of:

   [lib/libXfont/src/bitmap/bdfread.c:341]: (warning)
       scanf without field width limits can crash with huge input data.

Evaluation of this report by X.Org developers concluded that a BDF font
file containing a longer than expected string could overflow the buffer
on the stack.  Testing in X servers built with Stack Protector resulted
in an immediate crash when reading a user-provided specially crafted font.

As libXfont is used to read user-specified font files in all X servers
distributed by X.Org, including the Xorg server which is often run with
root privileges or as setuid-root in order to access hardware, this bug
may lead to an unprivileged user acquiring root privileges in some systems.

This bug appears to have been introduced in the initial RCS version 1.1
checked in on 1991/05/10, and is thus believed to be present in every X11
release starting with X11R5 up to the current libXfont 1.4.6.
(Manual inspection shows it is present in the sources from the X11R5
  tarballs, but not in those from the X11R4 tarballs.)


Solutions and Workarounds
=========================

Workaround: restrict access to the X server.

Solutions: a fix is included in the following versions:

xorg: xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c
HEAD		1.3
netbsd-6	1.1.1.2.2.1
netbsd-6-1	1.1.1.2.6.1
netbsd-6-0	1.1.1.2.4.1
netbsd-5	1.1.1.1.2.2
netbsd-5-2	1.1.1.1.2.1.4.1
netbsd-5-1	1.1.1.1.2.1.2.1

xfree: xsrc/xfree/xc/lib/font/bitmap/bdfread.c
HEAD		1.4
netbsd-6	1.2.8.1
netbsd-6-1	1.2.14.1
netbsd-6-0	1.2.10.1
netbsd-5	1.2.2.1
netbsd-5-2	1.2.12.1
netbsd-5-1	1.2.6.1

To obtain fixed binaries, fetch the appropriate xbase.tgz from a daily
build later than the fix dates, i.e.
http://nyftp.netbsd.org/pub/NetBSD-daily/<rel>/<date>/<arch>/binary/sets/xbase.tgz
with a date 20140108* or larger, and your release version and architecture,
and then extract the libXfont shared library files:

for X.org environments, netbsd-6* and HEAD:
cd / && tar xzpf /path/to/xbase.tgz ./usr/X11R7/lib/libXfont.so     \
                                    ./usr/X11R7/lib/libXfont.so.3   \
                                    ./usr/X11R7/lib/libXfont.so.3.0

for X.org environments and netbsd-5*:
cd / && tar xzpf /path/to/xbase.tgz ./usr/X11R7/lib/libXfont.so     \
                                    ./usr/X11R7/lib/libXfont.so.2   \
                                    ./usr/X11R7/lib/libXfont.so.2.0

and for xfree environments:
cd / && tar xzpf /path/to/xbase.tgz ./usr/X11R6/lib/libXfont.so     \
                                    ./usr/X11R6/lib/libXfont.so.1   \
                                    ./usr/X11R6/lib/libXfont.so.1.5

To build from source, update bdfread.c to the appropriate version and then
"./build.sh -x" from the top of the src tree.


Thanks To
=========

X.Org thanks the authors of the cppcheck tool for making their static
analyzer available as an open source project we can all benefit from.
http://cppcheck.sourceforge.net/

NetBSD would like to thank X.org for looking for and fixing this
vulnerability.


Revision History
================

	2014-01-07	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-001.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .


Copyright 2014, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2014-001.txt,v 1.2 2014/01/07 21:04:33 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (NetBSD)

iQIcBAEBAgAGBQJSzGwWAAoJEAZJc6xMSnBuGpoP/12ryE0zIMg5/f2F1f7g9Aul
3gHJAo8kY9zseDRKBQ/VE4YfaEYoDjZFeOPJby0d6zanIp8kkVdQyGEVgCBzVduO
zF6Ss9k0aqhttp4KoBgXkfPZitPo2WWcyedJKztrTCMyLhs3ET8ApQRoGoyg+Lcn
jddEmS7gWo7pRJwT2A7Yc3GAPkBoWJ+QnnaoynOVntmSKtbmx2kFSKDgDpst7sIN
u0dRGd+qN7XcUjncd6vrfipnG1ZaJrbAZxrlQOHuSBbF/PNh8SDyveoUhnUgxGiE
FUKeE9duMj2Q1oe8Q6xIR2c1mmj+sbPlHZrFmGNaUh/PJEVo6jz//BzW5ow+xiZS
Zny5eaDKVFeJROtP+JzCe047yC/2g1kVBbudqIwabaeqt85I8kL/XDMk9Rg0PqQB
QqiwQgnP2fSUaTFrZEgIK2lB/OoSZgqaRjrGJuxjru7fJXaHJ+q9aATGFpdfcunC
HDwoZZ97WjD9QGz78coI1dJCrzozeWWCm4DrRzOgCD4vfKCHWQTiylz04/V/McZv
eFzC7hNAU47UyRmRNzwKkL1ejmIEn3ZQRZJ3f80AZ4nKEIFM50alCg2s4SRMzz6s
MFyghD6v3HZ4ungc1Y39WlXa25ZDuVola7lfiDVqE/5KiXqMHz858hFG2HhYamHn
oWVaKjZ2wi7m5Zj1ZHkf
=wseV
-----END PGP SIGNATURE-----
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC