Current-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
NetBSD Security Advisory 2014-005: libXfont multiple vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2014-005
=================================
Topic: libXfont multiple vulnerabilities
Version: NetBSD-current: source prior to May 13th, 2014
NetBSD 6.1 - 6.1.4: affected
NetBSD 6.0 - 6.0.5: affected
NetBSD 5.1 - 5.1.4: affected
NetBSD 5.2 - 5.2.2: affected
Severity: privilege escalation
Fixed: NetBSD-current: May 13th, 2014
NetBSD-6-0 branch: May 14th, 2014
NetBSD-6-1 branch: May 14th, 2014
NetBSD-6 branch: May 14th, 2014
NetBSD-5-2 branch: May 14th, 2014
NetBSD-5-1 branch: May 14th, 2014
NetBSD-5 branch: May 14th, 2014
Teeny versions released later than the fix date will contain the fix.
Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.
Abstract
========
integer overflow of allocations in font metadata file parsing
This vulnerability has been assigned CVE-2014-0209
unvalidated length fields when parsing xfs protocol replies
This vulnerability has been assigned CVE-2014-0210
integer overflows calculating memory needs for xfs replies
This vulnerability has been assigned CVE-2014-0211
The X server commonly runs as root; the user using the X server
controls the fontpath.
A malicious local user could thus utilize buffer overflows via
setting the fontpath to a prepared font directory, or to
a malicious xfs server to execute code as root.
Technical Details
=================
citing from the X.org advisory:
integer overflow of allocations in font metadata file parsing
When a local user who is already authenticated to the X server adds
a new directory to the font path, the X server calls libXfont to open
the fonts.dir and fonts.alias files in that directory and add entries
to the font tables for every line in it. A large file (~2-4 gb) could
cause the allocations to overflow, and allow the remaining data read
from the file to overwrite other memory in the heap.
unvalidated length fields when parsing xfs protocol replies
When parsing replies received from the font server, these calls do not
check that the lengths and/or indexes returned by the font server are
within the size of the reply or the bounds of the memory allocated to
store the data, so could write past the bounds of allocated memory when
storing the returned data.
integer overflows calculating memory needs for xfs replies
These calls do not check that their calculations for how much memory
is needed to handle the returned data have not overflowed, so can
result in allocating too little memory and then writing the returned
data past the end of the allocated buffer.
Solutions and Workarounds
=========================
Update libXfont to a non-vulnerable version.
libXfont is contained in xbase.tgz, so get
http://nyftp.netbsd.org/pub/NetBSD-daily/<r>/<d>/<a>/binary/sets/xbase.tgz
with <r>=release, <d>=date > 20140514, <a>=arch
(for example:
http://nyftp.netbsd.org/pub/NetBSD-daily/netbsd-6/201405220640Z/amd64/binary/sets/xbase.tgz)
and then:
for X.org
cd / ; tar xzpf xbase.tgz ./usr/X11R7/lib/libXfont.so.3.0
for xfree
cd / ; tar xzpf xbase.tgz ./usr/X11R6/lib/libXfont.so.1.5
or rebuild the system from fixed source with build.sh -x
Fixed versions:
X.org: xsrc/external/mit/libXfont/dist/src/
HEAD 6 6-1 6-0
fc/fsconvert.c 1.2 1.1.1.2.2.1 1.1.1.2.6.1 1.1.1.2.4.1
fc/fserve.c 1.2 1.1.1.2.2.1 1.1.1.2.6.1 1.1.1.2.4.1
fontfile/dirfile.c 1.2 1.1.1.2.2.1 1.1.1.2.6.1 1.1.1.2.4.1
5 5-2 5-1
fc/fsconvert.c 1.1.1.1.2.2 1.1.1.1.2.1.4.1 1.1.1.1.2.1.2.1
fc/fserve.c 1.1.1.1.2.2 1.1.1.1.2.1.4.1 1.1.1.1.2.1.2.1
fontfile/dirfile.c 1.1.1.1.2.2 1.1.1.1.2.1.4.1 1.1.1.1.2.1.2.1
xfree: xsrc/xfree/xc/lib/font/
HEAD 6 6-1 6-0
fc/fsconvert.c 1.5 1.4.26.1 1.4.32.1 1.4.28.1
fc/fserve.c 1.5 1.4.26.1 1.4.32.1 1.4.28.1
fontfile/dirfile.c 1.5 1.4.14.1 1.4.20.1 1.4.16.1
5 5-2 5-1
fc/fsconvert.c 1.4.20.1 1.4.30.1 1.4.24.1
fc/fserve.c 1.4.20.1 1.4.30.1 1.4.24.1
fontfile/dirfile.c 1.4.8.1 1.4.18.1 1.4.12.1
Thanks To
=========
Thanks to Ilja van Sprundel, a security researcher with IOActive, who
discovered the issues and the X.org security team for developing fixes
and coordinating the vulnerability release.
Revision History
================
2014-05-28 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-005.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
Copyright 2014, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2014-005.txt,v 1.1 2014/05/27 23:53:20 tonnerre Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJThSWUAAoJEAZJc6xMSnBu4Y4P/jdaNc5mGuFIWhReYrraP2Dd
Mo3ppm1BsMBHjaDKe8ldM7ggIwO8kswi8HWtpR4z2tPwuoYPFi9nDKpOJLNscsbR
PwOSmnd7DRxOWYL4t6IiS4S8N0tsuN6gaOduWB/3KMASuvEGi7MOAe+k+24JT8oa
jj9/IDNv/6XfoWHPTxN2uUAYAV278WmQpMIVt40mISrGXighTQ7wUDz90GnBT7Vq
jt6ZdtjdB8k95/0OoFruRZkLmXOVjNmdsjcPw1dbxiM2J5otB2G1chxXCdEF+I2a
NB4L1eqUG4+xDd3oemlDpqmfkxMwdOfjDTuiPD2LqHjlokt+EK15T7tWtfD5IZCx
8jNjHbjrK8L7Zp6Wa9VdcLmFJVc3cNLlUxJZATVA7kK9du25GDXBiBKd7P57NJOw
eBZo8Ku+fMph7B409Ii2+tTubmTUWAX4raoIXhcrLGz+NtEFPB072gnpCkhVw6bR
hZ2ZR9o2Xb3+bdLjGqTEjJCJLRFfYn4r3fVA/cdLPlSC6mtZ9fbKScsIOmZooo1Z
L+Z36Cv3j6CrDSgDqmmabrC/atXQ9cK7Wzntu/DRKfq8vkPuSMlpuQRlfzjcgSsH
/nGY+0AG10/QVOncgK+zS/a536zrPfQynTGgx+rluClxIzWUYzDRZt00C8/I41wJ
eP+z29hbJ2KmuDl8QIvK
=VDy0
-----END PGP SIGNATURE-----
Home |
Main Index |
Thread Index |
Old Index