Subject: NetBSD Security Advisory 2003-015: Remote and local vulnerabilities in XFree86 font libraries
To: None <>
From: NetBSD Security Officer <>
List: netbsd-announce
Date: 10/09/2003 15:33:36

		 NetBSD Security Advisory 2003-015

Topic:		Remote and local vulnerabilities in XFree86 font libraries

Version:	NetBSD-current:	source prior to August 31, 2003
		NetBSD 1.6.1:	affected
		NetBSD 1.6:	affected
		NetBSD-1.5.3:	affected
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected

Severity:	High, for systems running an X server.

Fixed:		NetBSD-current:		August 31, 2003
		(xsrc is not branched by NetBSD release)


There is an integer overflow in the XFree86 font libraries, which could lead to
potential privilege escalation and/or remote code execution.

Technical Details

As seen in this advisory, the exact details of these issues have not been

Solutions and Workarounds

Workaround (proposed in the XFree86 advisory):

Ensure that neither xfs nor the X server include untrusted font servers in
their font search paths.  Xfs is not started by default in NetBSD and the
X server contains only directories under /usr/X11R6/lib/X11/fonts in its
font path.

To prevent the local privilege escalation problem, remove the suid bit from the
Xserver binary.  This will mean that only root can start the X server.

        chmod u-s /usr/X11R6/bin/XFree86

Please note that removing the suid bit will NOT prevent a compromise due to
malicious fonts.


The following instructions describe how to upgrade your X
binaries by updating your source tree and rebuilding and
installing a new version of X.

* NetBSD (all versions):

	Systems running NetBSD with X dated from before 2003-08-30
	should be upgraded to NetBSD with X dated 2003-08-31 or later.

	Unlike the main NetBSD source tree (src), xsrc is not branched
	based on NetBSD versions.

	The following directories need to be updated from the netbsd CVS:

	To update from CVS, re-build, and re-install X:
		# cd xsrc
		# cvs update -d -P xc/lib/font/fc xc/lib/FS \
			xfree/xc/lib/font/fc xfree/xc/lib/FS

		# make build

(The 'build' target performs installation as well as compilation)

Thanks To

Matthias Scheler

Revision History

	2003-10-09	Initial release

More Information

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

Information about NetBSD and NetBSD security can be found at and

Copyright 2003, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2003-015.txt,v 1.4 2003/10/09 03:30:14 groo Exp $

Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see