Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 17 Mar 2015 16:18:43 +0100
From: Sven Schwedas <>
Subject: Re: Fwd: [ANNOUNCE] X.Org Security Advisory: More
 BDF file parsing issues in libXfont

On 2015-03-17 16:11, Alan Coopersmith wrote:
> -------- Original Message --------
> Subject: [ANNOUNCE] X.Org Security Advisory: More BDF file parsing
> issues in libXfont
> Date: Tue, 17 Mar 2015 08:08:33 -0700
> From: Alan Coopersmith <>
> To:
> CC: William Robinet <>,,
>, Ilja Van Sprundel <>
> X.Org Security Advisory:  March 17, 2015
> More BDF file parsing issues in libXfont
> ========================================
> Description:
> ============
> Ilja van Sprundel, a security researcher with IOActive, has discovered an
> issue in the parsing of BDF font files by libXfont.  Additional testing by
> Alan Coopersmith and William Robinet with the American Fuzzy Lop (afl) tool
> uncovered two more issues in the parsing of BDF font files.
> As libXfont is used by the X server to read font files, and an unprivileged
> user with access to the X server can tell the X server to read a given font
> file from a path of their choosing, these vulnerabilities have the
> potential

Can this be exploited by any current browser's web fonts implementation,
or will this require local access? (Loading fonts from user-writeable
~/.fonts seems to be enabled by default.)

> to allow unprivileged users to run code with the privileges of the X server
> (often root access).
> The vulnerabilities are:
> - CVE-2015-1802: bdfReadProperties: property count needs range check
>     The bdf parser reads a count for the number of properties defined in
>     a font from the font file, and allocates arrays with entries for each
>     property based on that count.  It never checked to see if that count
>     was negative, or large enough to overflow when multiplied by the size
>     of the structures being allocated, and could thus allocate the wrong
>     buffer size, leading to out of bounds writes.
> - CVE-2015-1803: bdfReadCharacters: bailout if a char's bitmap cannot be
> read
>     If the bdf parser failed to parse the data for the bitmap for any
>     character, it would proceed with an invalid pointer to the bitmap
>     data and later crash when trying to read the bitmap from that pointer.
> - CVE-2015-1804: bdfReadCharacters: ensure metrics fit into xCharInfo
> struct
>     The bdf parser read metrics values as 32-bit integers, but stored
>     them into 16-bit integers.  Overflows could occur in various operations
>     leading to out-of-bounds memory access.
> Affected Versions
> =================
> X.Org believes all prior versions of this library contain these flaws,
> dating back to its introduction in X11R5.
> Fixes
> =====
> Fixes are available in the patches for these libXfont git commits:
>       2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e
>       78c2e3d70d29698244f70164428bd2868c0ab34c
>       2351c83a77a478b49cba6beb2ad386835e264744
> Which are now available from:
>       git://
> Fixes will also be included in the libXfont 1.5.1 & 1.4.9 module releases
> from X.Org.
> Thanks
> ======
> X.Org thanks Ilja van Sprundel of IOActive, Alan Coopersmith of Oracle, and
> William Robinet of Conostix for reporting these issues to our security team
> and helping evaluate and test the fixes; and thanks Michal Zalewski and the
> American Fuzzy Lop community for providing their fuzz testing tool as an
> open
> source project we can all benefit from at .

Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: | +43 (0)680 301 7167

Download attachment "signature.asc" of type "application/pgp-signature" (649 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ