Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   libXfont Vendors:
(Vendor Issues Fix) libXfont Font Processing Flaws Lets Local Users Deny Service or Gain Elevated Privileges
SecurityTracker Alert ID:  1035584
SecurityTracker URL:
CVE Reference:   CVE-2015-1802, CVE-2015-1803, CVE-2015-1804   (Links to External Site)
Date:  Apr 18 2016
Impact:   Denial of service via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Several vulnerabilities were reported in libXfont. A local user can obtain elevated privileges on the target system.

A local user with access to the X server can cause the X server to read an arbitrary font file to trigger a memory corruption error and cause denial of service conditions or execute arbitrary code on the target system with the privileges of the X server (which may be root privileges on some systems).

An overflow may occur in bdfReadProperties() in the property count [CVE-2015-1802].

An invalid pointer error may cause a crash in bdfReadCharacters() [CVE-2015-1803].

An overflow may occur in bdfReadCharacters() [CVE-2015-1804].

Ilja van Sprundel of IOActive, Alan Coopersmith of Oracle, and William Robinet of Conostix reported these vulnerabilities.

Impact:   A local user can obtain elevated privileges on the target system.

A local user can cause the X server to crash.

Solution:   NetBSD has issued a fix for CVE-2015-1802, CVE-2015-1803, and CVE-2015-1804.

The NetBSD advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Access control error, Boundary error
Underlying OS:  UNIX (NetBSD)
Underlying OS Comments:  5.1, 5.2, 6.0, 6.1

Message History:   This archive entry is a follow-up to the message listed below.
Mar 17 2015 libXfont Font Processing Flaws Lets Local Users Deny Service or Gain Elevated Privileges

 Source Message Contents

Subject:  NetBSD Security Advisory 2016-002: BDF file parsing issues in libXfont

Hash: SHA1

		 NetBSD Security Advisory 2016-002

Topic:		BDF file parsing issues in libXfont

Version:	NetBSD-current:		affected prior to 20150319
		NetBSD 6.1 - 6.1.5:	affected
		NetBSD 6.0 - 6.0.6:	affected
		NetBSD 5.1 - 5.1.4:	affected
		NetBSD 5.2 - 5.2.2:	affected
		pkgsrc:			affected

Severity:	remote DoS, potential local privilege escalation

Fixed:		NetBSD-current:		March 18th, 2015
		NetBSD-6 branch:	March 18th, 2015
		NetBSD-6-1 branch:	March 18th, 2015
		NetBSD-6-0 branch:	March 18th, 2015
		NetBSD-5 branch:	March 18th, 2015
		NetBSD-5-2 branch:	March 18th, 2015
		NetBSD-5-1 branch:	March 18th, 2015
		pkgsrc:			libXfont-1.5.1 corrects this issue

Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.


Ilja van Sprundel, a security researcher with IOActive, has discovered an
issue in the parsing of BDF font files by libXfont. Additional testing by
Alan Coopersmith and William Robinet with the American Fuzzy Lop (afl)
tool uncovered two more issues in the parsing of BDF font files.

As libXfont is used by the X server to read font files, and an
unprivileged user with access to the X server can tell the X server to
read a given font file from a path of their choosing, these
vulnerabilities have the potential to allow unprivileged users to run
code with the privileges of the X server (often root access).

These vulnerabilities have been assigned CVE-2015-1802, CVE-2015-1803,
and CVE-2015-1804.

Technical Details

CVE-2015-1802: bdfReadProperties: property count needs range check

The bdf parser reads a count for the number of properties defined in a
font from the font file, and allocates arrays with entries for each
property based on that count. It never checked to see if that count was
negative, or large enough to overflow when multiplied by the size of
the structures being allocated, and could thus allocate the wrong
buffer size, leading to out of bounds writes.

CVE-2015-1803: bdfReadCharacters: bailout if a char's bitmap cannot be read

If the bdf parser failed to parse the data for the bitmap for any
character, it would proceed with an invalid pointer to the bitmap data
and later crash when trying to read the bitmap from that pointer.

CVE-2015-1804: bdfReadCharacters: ensure metrics fit into xCharInfo struct

The bdf parser read metrics values as 32-bit integers, but stored them
into 16-bit integers. Overflows could occur in various operations
leading to out-of-bounds memory access.

X.Org believes all prior versions of this library contain these flaws,
dating back to its introduction in X11R5.

Solutions and Workarounds

Workaround: don't allow clients that might open unvetted fonts on
your X server. Note this includes web browsers.

Solution: replace a vulnerable libXfont with a fixed version.

Binary fixes:
with REL being your NetBSD release version
DATE being a date past the fix date for your release
ARCH being the architecture of the system to be fixed

libXfont paths will differ by version and architecture, depending on
whether your architecture uses /usr/X11R6 or /usr/X11R7:


all versions	./usr/X11R7/lib/

netbsd-5*	./usr/X11R7/lib/

netbsd-6-0+	./usr/X11R7/lib/

so e.g. for a NetBSD 6.0 or younger amd64 system you'd do:
cd / && tar xzpf path-to/xbase.tgz ./usr/X11R7/lib/ \
		./usr/X11R7/lib/  \

- From source:

affected files and fixed versions are:

HEAD		1.4

HEAD		1.5

use -x distribution to build a new system including X after 
updating your source.

Thanks To

Thanks to Ilja van Sprundel, Alan Coopersmith and William Robinet and the
text of X.Org advisory 2015-03-17

Revision History

	2016-04-16	Initial release

More Information

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

Information about NetBSD and NetBSD security can be found at and .

Copyright 2015, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2016-002.txt,v 1.1 2016/04/16 15:18:30 christos Exp $

Version: GnuPG v1


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC