Source-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: xsrc



Module Name:    xsrc
Committed By:   spz
Date:           Tue May 13 15:17:33 UTC 2014

Modified Files:
        xsrc/external/mit/libXfont/dist/src/fc: fsconvert.c fserve.c
        xsrc/external/mit/libXfont/dist/src/fontfile: dirfile.c
        xsrc/xfree/xc/lib/font/fc: fsconvert.c fserve.c
        xsrc/xfree/xc/lib/font/fontfile: dirfile.c

Log Message:
Fix multiple vulnerabilities in libXfont:

- CVE-2014-0209: integer overflow of allocations in font metadata file parsing

     When a local user who is already authenticated to the X server adds
     a new directory to the font path, the X server calls libXfont to open
     the fonts.dir and fonts.alias files in that directory and add entries
     to the font tables for every line in it.  A large file (~2-4 gb) could
     cause the allocations to overflow, and allow the remaining data read
     from the file to overwrite other memory in the heap.

     Affected functions: FontFileAddEntry(), lexAlias()

- CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies

     When parsing replies received from the font server, these calls do not
     check that the lengths and/or indexes returned by the font server are
     within the size of the reply or the bounds of the memory allocated to
     store the data, so could write past the bounds of allocated memory when
     storing the returned data.

     Affected functions: _fs_recv_conn_setup(), fs_read_open_font(),
     fs_read_query_info(), fs_read_extent_info(), fs_read_glyphs(),
     fs_read_list(), fs_read_list_info()

- CVE-2014-0211: integer overflows calculating memory needs for xfs replies

     These calls do not check that their calculations for how much memory
     is needed to handle the returned data have not overflowed, so can

     result in allocating too little memory and then writing the returned
     data past the end of the allocated buffer.

     Affected functions: fs_get_reply(), fs_alloc_glyphs(),
     fs_read_extent_info()

See also: http://lists.x.org/archives/xorg-announce/2014-May/002431.html


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.3 -r1.2 \
    xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c \
    xsrc/external/mit/libXfont/dist/src/fc/fserve.c
cvs rdiff -u -r1.1.1.3 -r1.2 \
    xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c
cvs rdiff -u -r1.4 -r1.5 xsrc/xfree/xc/lib/font/fc/fsconvert.c \
    xsrc/xfree/xc/lib/font/fc/fserve.c
cvs rdiff -u -r1.4 -r1.5 xsrc/xfree/xc/lib/font/fontfile/dirfile.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.




Home | Main Index | Thread Index | Old Index