[v2.4] libxfont: Stack buffer overflow in parsing of BDF font files (CVE-2013-6462)
Scanning of the libXfont sources with the cppcheck static analyzer
included a report of:
[lib/libXfont/src/bitmap/bdfread.c:341]: (warning)
scanf without field width limits can crash with huge input data.
Evaluation of this report by X.Org developers concluded that a BDF
font
file containing a longer than expected string could overflow the
buffer
on the stack. Testing in X servers built with Stack Protector resulted
in an immediate crash when reading a user-provided specially crafted
font.
As libXfont is used to read user-specified font files in all X servers
distributed by X.Org, including the Xorg server which is often run
with
root privileges or as setuid-root in order to access hardware, this
bug
may lead to an unprivileged user acquiring root privileges in some
systems.
Affected Versions =
This bug appears to have been introduced in the initial RCS version
1.1
checked in on 1991/05/10, and is thus believed to be present in every
X11
release starting with X11R5 up to the current libXfont 1.4.6.
(Manual inspection shows it is present in the sources from the X11R5
tarballs, but not in those from the X11R4 tarballs.)
Fixes =
A fix is available via the attached patch, which is also included in
libXfont 1.4.7, released today, and available in the libXfont git
repo:
http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=4d024ac10f964f6bd372ae0dd14f02772a6e5f63
References:
http://lists.x.org/archives/xorg-announce/2014-January/002389.html
http://seclists.org/bugtraq/2014/Jan/15
(from redmine: issue id 2586, created on 2014-01-08, closed on 2014-02-04)
- Relations:
- parent #2585 (closed)
- Changesets:
- Revision a7ad4c16 by Natanael Copa on 2014-01-14T14:46:07Z:
main/libxfont: security upgrade to 1.4.7 (CVE-2013-6462)
fixes #2586