Subject: NetBSD Security Advisory 2003-015: Remote and local vulnerabilities in XFree86 font libraries
To: None <netbsd-announce@NetBSD.org>
From: NetBSD Security Officer <security-officer@NetBSD.org>
Date: 10/09/2003 15:33:36
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2003-015
Topic: Remote and local vulnerabilities in XFree86 font libraries
Version: NetBSD-current: source prior to August 31, 2003
NetBSD 1.6.1: affected
NetBSD 1.6: affected
Severity: High, for systems running an X server.
Fixed: NetBSD-current: August 31, 2003
(xsrc is not branched by NetBSD release)
There is an integer overflow in the XFree86 font libraries, which could lead to
potential privilege escalation and/or remote code execution.
As seen in this advisory, the exact details of these issues have not been
Solutions and Workarounds
Workaround (proposed in the XFree86 advisory):
Ensure that neither xfs nor the X server include untrusted font servers in
their font search paths. Xfs is not started by default in NetBSD and the
X server contains only directories under /usr/X11R6/lib/X11/fonts in its
To prevent the local privilege escalation problem, remove the suid bit from the
Xserver binary. This will mean that only root can start the X server.
chmod u-s /usr/X11R6/bin/XFree86
Please note that removing the suid bit will NOT prevent a compromise due to
The following instructions describe how to upgrade your X
binaries by updating your source tree and rebuilding and
installing a new version of X.
* NetBSD (all versions):
Systems running NetBSD with X dated from before 2003-08-30
should be upgraded to NetBSD with X dated 2003-08-31 or later.
Unlike the main NetBSD source tree (src), xsrc is not branched
based on NetBSD versions.
The following directories need to be updated from the netbsd CVS:
To update from CVS, re-build, and re-install X:
# cd xsrc
# cvs update -d -P xc/lib/font/fc xc/lib/FS \
# make build
(The 'build' target performs installation as well as compilation)
2003-10-09 Initial release
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2003, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2003-015.txt,v 1.4 2003/10/09 03:30:14 groo Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----