libxfont: X Font Service Protocol & Font metadata file handling issues (CVE-2014-0209,CVE-2014-0210,CVE-2014-0211)
Patches are found: http://cgit.freedesktop.org/xorg/lib/libXfont/log/?h=libXfont-1.4-branch
X.Org Security Advisory: May 13, 2014 X Font Service Protocol & Font metadata file handling issues in libXfont ======================================================================== Description: ============ Ilja van Sprundel, a security researcher with IOActive, has discovered several issues in the way the libXfont library handles the responses it receives from xfs servers, and has worked with X.Org's security team to analyze, confirm, and fix these issues. Most of these issues stem from libXfont trusting the font server to send valid protocol data, and not verifying that the values will not overflow or cause other damage. This code is commonly called from the X server when an X Font Server is active in the font path, so may be running in a setuid-root process depending on the X server in use. Exploits of this path could be used by a local, authenticated user to attempt to raise privileges; or by a remote attacker who can control the font server to attempt to execute code with the privileges of the X server. (CVE-2014-XXXA is the exception, as it does not involve communication with a font server, as explained below.) The vulnerabilities are: - CVE-2014-0209: integer overflow of allocations in font metadata file parsing When a local user who is already authenticated to the X server adds a new directory to the font path, the X server calls libXfont to open the fonts.dir and fonts.alias files in that directory and add entries to the font tables for every line in it. A large file (~2-4 gb) could cause the allocations to overflow, and allow the remaining data read from the file to overwrite other memory in the heap. Affected functions: FontFileAddEntry(), lexAlias() - CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies When parsing replies received from the font server, these calls do not check that the lengths and/or indexes returned by the font server are within the size of the reply or the bounds of the memory allocated to store the data, so could write past the bounds of allocated memory when storing the returned data. Affected functions: _fs_recv_conn_setup(), fs_read_open_font(), fs_read_query_info(), fs_read_extent_info(), fs_read_glyphs(), fs_read_list(), fs_read_list_info() - CVE-2014-0211: integer overflows calculating memory needs for xfs replies These calls do not check that their calculations for how much memory is needed to handle the returned data have not overflowed, so can result in allocating too little memory and then writing the returned data past the end of the allocated buffer. Affected functions: fs_get_reply(), fs_alloc_glyphs(), fs_read_extent_info() Affected Versions ================= X.Org believes all prior versions of this library contain these flaws, dating back to its introduction in X11R5. Fixes ===== Fixes are available in the patches for these libXfont git commits: 2f5e57317339c526e6eaee1010b0e2ab8089c42e 05c8020a49416dd8b7510cbba45ce4f3fc81a7dc 891e084b26837162b12f841060086a105edde86d cbb64aef35960b2882be721f4b8fbaa0fb649d12 0f1a5d372c143f91a602bdf10c917d7eabaee09b 491291cabf78efdeec8f18b09e14726a9030cc8f c578408c1fd4db09e4e3173f8a9e65c81cc187c1 a42f707f8a62973f5e8bbcd08afb10a79e9cee33 a3f21421537620fc4e1f844a594a4bcd9f7e2bd8 520683652564c2a4e42328ae23eef9bb63271565 5fa73ac18474be3032ee7af9c6e29deab163ea39 d338f81df1e188eb16e1d6aeea7f4800f89c1218 Which are available now from: git://anongit.freedesktop.org/git/xorg/lib/libXfont http://cgit.freedesktop.org/xorg/lib/libXfont/ Fixes will also be included in these module releases from X.Org: libXfont 1.4.8 libXfont 184.108.40.2061 (1.5.0 RC 1) Thanks ====== X.Org thanks Ilja van Sprundel of IOActive for reporting these issues to our security team and assisting them in understanding them and evaluating our fixes, and Alan Coopersmith of Oracle for coordinating the X.Org response and developing the fixes for these issues.
(from redmine: issue id 2883, created on 2014-05-14, closed on 2014-05-14)
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information