GLSA 200402-02: XFree86 Font Information File Buffer Overflow

Severity:high
Title:XFree86 Font Information File Buffer Overflow
Date:02/11/2004
Bugs:
ID:200402-02

Synopsis

Exploitation of a buffer overflow in the XFree86 Project Inc.'s XFree86 X Window System allows local attackers to gain root privileges.

Background

XFree86, provides a client/server interface between display hardware and the desktop environment while also providing both the windowing infrastructure and a standardized API. XFree86 is platform independent, network-transparent and extensible.

Affected packages

Package Vulnerable Unaffected Architecture(s)
x11-base/xfree < 4.3.99.902-r1 == 4.2.1-r3 All supported architectures

Description

Exploitation of a buffer overflow in The XFree86 Window System discovered by iDefence allows local attackers to gain root privileges.

The problem exists in the parsing of the 'font.alias' file. The X server (running as root) fails to check the length of the user provided input, so a malicious user may craft a malformed 'font.alias' file causing a buffer overflow upon parsing, eventually leading to the execution of arbitrary code.

To reproduce the overflow on the command line one can run:

    # cat > fonts.dir <<EOF 
    1
    word.bdf -misc-fixed-medium-r-semicondensed--13-120-75-75-c-60-iso8859-1
    EOF
    # perl -e 'print "0" x 1024 . "A" x 96 . "\n"' > fonts.alias
    # X :0 -fp $PWD

{Some output removed}... Server aborting... Segmentation fault (core dumped)

Impact

Successful exploitation can lead to a root compromise provided that the attacker is able to execute commands in the X11 subsystem. This can be done either by having console access to the target or through a remote exploit against any X client program such as a web-browser, mail-reader or game.

Workaround

No immediate workaround is available; a software upgrade is required.

Gentoo has released XFree 4.2.1-r3, 4.3.0-r4 and 4.3.99.902-r1 and encourages all users to upgrade their XFree86 installations. Vulnerable versions are no longer available in Portage.

Resolution

All users are recommended to upgrade their XFree86 installation:

    # emerge sync
    # emerge -pv x11-base/xfree
    # emerge x11-base/xfree

References

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200402-02.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

License

Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

Thank you!