SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   libXfont Vendors:   X.org
libXfont Font Processing Flaws Lets Local Users Deny Service or Gain Elevated Privileges
SecurityTracker Alert ID:  1031935
SecurityTracker URL:  http://securitytracker.com/id/1031935
CVE Reference:   CVE-2015-1802, CVE-2015-1803, CVE-2015-1804   (Links to External Site)
Date:  Mar 17 2015
Impact:   Denial of service via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Several vulnerabilities were reported in libXfont. A local user can obtain elevated privileges on the target system.

A local user with access to the X server can cause the X server to read an arbitrary font file to trigger a memory corruption error and cause denial of service conditions or execute arbitrary code on the target system with the privileges of the X server (which may be root privileges on some systems).

An overflow may occur in bdfReadProperties() in the property count [CVE-2015-1802].

An invalid pointer error may cause a crash in bdfReadCharacters() [CVE-2015-1803].

An overflow may occur in bdfReadCharacters() [CVE-2015-1804].

Ilja van Sprundel of IOActive, Alan Coopersmith of Oracle, and William Robinet of Conostix reported these vulnerabilities.

Impact:   A local user can obtain elevated privileges on the target system.

A local user can cause the X server to crash.

Solution:   The vendor has issued a source code fix. The fix will be included in versions 1.4.9 and 1.5.1.
Vendor URL:  www.x.org/ (Links to External Site)
Cause:   Access control error, Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Mar 18 2015 (Ubuntu Issues Fix) libXfont Font Processing Flaws Lets Local Users Deny Service or Gain Elevated Privileges
Ubuntu has issued a fix for Ubuntu 10.04 LTS, 12.04 LTS, 14.04 LTS, and 14.10.
Sep 3 2015 (Red Hat Issues Fix) libXfont Font Processing Flaws Lets Local Users Deny Service or Gain Elevated Privileges
Red Hat has issued a fix for Red Hat Enterprise Linux 6 and 7.
Sep 4 2015 (CentOS Issues Fix) libXfont Font Processing Flaws Lets Local Users Deny Service or Gain Elevated Privileges
CentOS has issued a fix for CentOS Linux 6 and 7.
Sep 4 2015 (Oracle Issues Fix for Oracle Linux) libXfont Font Processing Flaws Lets Local Users Deny Service or Gain Elevated Privileges
Oracle has issued a fix for Oracle Linux 6 and 7.
Apr 18 2016 (Vendor Issues Fix) libXfont Font Processing Flaws Lets Local Users Deny Service or Gain Elevated Privileges
NetBSD has issued a fix for NetBSD 5.1, 5.2, 6.0, and 6.1.



 Source Message Contents

Subject:  [oss-security] Fwd: [ANNOUNCE] X.Org Security Advisory: More BDF file parsing issues in libXfont




-------- Original Message --------
Subject: [ANNOUNCE] X.Org Security Advisory: More BDF file parsing issues in 
libXfont
Date: Tue, 17 Mar 2015 08:08:33 -0700
From: Alan Coopersmith <alan.coopersmith@oracle.com>
To: xorg-announce@lists.x.org
CC: William Robinet <william.robinet@conostix.com>, xorg@lists.x.org, 
xorg-devel@lists.x.org, Ilja Van Sprundel <ivansprundel@ioactive.com>

X.Org Security Advisory:  March 17, 2015
More BDF file parsing issues in libXfont
========================================

Description:
============

Ilja van Sprundel, a security researcher with IOActive, has discovered an
issue in the parsing of BDF font files by libXfont.  Additional testing by
Alan Coopersmith and William Robinet with the American Fuzzy Lop (afl) tool
uncovered two more issues in the parsing of BDF font files.

As libXfont is used by the X server to read font files, and an unprivileged
user with access to the X server can tell the X server to read a given font
file from a path of their choosing, these vulnerabilities have the potential
to allow unprivileged users to run code with the privileges of the X server
(often root access).

The vulnerabilities are:

- CVE-2015-1802: bdfReadProperties: property count needs range check

     The bdf parser reads a count for the number of properties defined in
     a font from the font file, and allocates arrays with entries for each
     property based on that count.  It never checked to see if that count
     was negative, or large enough to overflow when multiplied by the size
     of the structures being allocated, and could thus allocate the wrong
     buffer size, leading to out of bounds writes.

- CVE-2015-1803: bdfReadCharacters: bailout if a char's bitmap cannot be read

     If the bdf parser failed to parse the data for the bitmap for any
     character, it would proceed with an invalid pointer to the bitmap
     data and later crash when trying to read the bitmap from that pointer.

- CVE-2015-1804: bdfReadCharacters: ensure metrics fit into xCharInfo struct

     The bdf parser read metrics values as 32-bit integers, but stored
     them into 16-bit integers.  Overflows could occur in various operations
     leading to out-of-bounds memory access.

Affected Versions
=================

X.Org believes all prior versions of this library contain these flaws,
dating back to its introduction in X11R5.


Fixes
=====

Fixes are available in the patches for these libXfont git commits:
       2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e
       78c2e3d70d29698244f70164428bd2868c0ab34c
       2351c83a77a478b49cba6beb2ad386835e264744

Which are now available from:
       git://anongit.freedesktop.org/git/xorg/lib/libXfont
       http://cgit.freedesktop.org/xorg/lib/libXfont/

Fixes will also be included in the libXfont 1.5.1 & 1.4.9 module releases
from X.Org.

Thanks
======

X.Org thanks Ilja van Sprundel of IOActive, Alan Coopersmith of Oracle, and
William Robinet of Conostix for reporting these issues to our security team
and helping evaluate and test the fixes; and thanks Michal Zalewski and the
American Fuzzy Lop community for providing their fuzz testing tool as an open
source project we can all benefit from at http://lcamtuf.coredump.cx/afl/ .

-- 
	-Alan Coopersmith-              alan.coopersmith@oracle.com
	  X.Org Security Response Team - xorg-security@lists.x.org




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC