Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 17 Mar 2015 16:18:43 +0100
From: Sven Schwedas <sven.schwedas@....at>
To: oss-security@...ts.openwall.com
Subject: Re: Fwd: [ANNOUNCE] X.Org Security Advisory: More
 BDF file parsing issues in libXfont

On 2015-03-17 16:11, Alan Coopersmith wrote:
> 
> 
> 
> -------- Original Message --------
> Subject: [ANNOUNCE] X.Org Security Advisory: More BDF file parsing
> issues in libXfont
> Date: Tue, 17 Mar 2015 08:08:33 -0700
> From: Alan Coopersmith <alan.coopersmith@...cle.com>
> To: xorg-announce@...ts.x.org
> CC: William Robinet <william.robinet@...ostix.com>, xorg@...ts.x.org,
> xorg-devel@...ts.x.org, Ilja Van Sprundel <ivansprundel@...ctive.com>
> 
> X.Org Security Advisory:  March 17, 2015
> More BDF file parsing issues in libXfont
> ========================================
> 
> Description:
> ============
> 
> Ilja van Sprundel, a security researcher with IOActive, has discovered an
> issue in the parsing of BDF font files by libXfont.  Additional testing by
> Alan Coopersmith and William Robinet with the American Fuzzy Lop (afl) tool
> uncovered two more issues in the parsing of BDF font files.
> 
> As libXfont is used by the X server to read font files, and an unprivileged
> user with access to the X server can tell the X server to read a given font
> file from a path of their choosing, these vulnerabilities have the
> potential

Can this be exploited by any current browser's web fonts implementation,
or will this require local access? (Loading fonts from user-writeable
~/.fonts seems to be enabled by default.)

> to allow unprivileged users to run code with the privileges of the X server
> (often root access).
> 
> The vulnerabilities are:
> 
> - CVE-2015-1802: bdfReadProperties: property count needs range check
> 
>     The bdf parser reads a count for the number of properties defined in
>     a font from the font file, and allocates arrays with entries for each
>     property based on that count.  It never checked to see if that count
>     was negative, or large enough to overflow when multiplied by the size
>     of the structures being allocated, and could thus allocate the wrong
>     buffer size, leading to out of bounds writes.
> 
> - CVE-2015-1803: bdfReadCharacters: bailout if a char's bitmap cannot be
> read
> 
>     If the bdf parser failed to parse the data for the bitmap for any
>     character, it would proceed with an invalid pointer to the bitmap
>     data and later crash when trying to read the bitmap from that pointer.
> 
> - CVE-2015-1804: bdfReadCharacters: ensure metrics fit into xCharInfo
> struct
> 
>     The bdf parser read metrics values as 32-bit integers, but stored
>     them into 16-bit integers.  Overflows could occur in various operations
>     leading to out-of-bounds memory access.
> 
> Affected Versions
> =================
> 
> X.Org believes all prior versions of this library contain these flaws,
> dating back to its introduction in X11R5.
> 
> 
> Fixes
> =====
> 
> Fixes are available in the patches for these libXfont git commits:
>       2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e
>       78c2e3d70d29698244f70164428bd2868c0ab34c
>       2351c83a77a478b49cba6beb2ad386835e264744
> 
> Which are now available from:
>       git://anongit.freedesktop.org/git/xorg/lib/libXfont
>       http://cgit.freedesktop.org/xorg/lib/libXfont/
> 
> Fixes will also be included in the libXfont 1.5.1 & 1.4.9 module releases
> from X.Org.
> 
> Thanks
> ======
> 
> X.Org thanks Ilja van Sprundel of IOActive, Alan Coopersmith of Oracle, and
> William Robinet of Conostix for reporting these issues to our security team
> and helping evaluate and test the fixes; and thanks Michal Zalewski and the
> American Fuzzy Lop community for providing their fuzz testing tool as an
> open
> source project we can all benefit from at http://lcamtuf.coredump.cx/afl/ .
> 

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas
Systemadministrator
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: sven.schwedas@....at | +43 (0)680 301 7167
http://software.tao.at


Download attachment "signature.asc" of type "application/pgp-signature" (649 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.