Date: Tue, 17 Mar 2015 16:18:43 +0100 From: Sven Schwedas <sven.schwedas@....at> To: oss-security@...ts.openwall.com Subject: Re: Fwd: [ANNOUNCE] X.Org Security Advisory: More BDF file parsing issues in libXfont On 2015-03-17 16:11, Alan Coopersmith wrote: > > > > -------- Original Message -------- > Subject: [ANNOUNCE] X.Org Security Advisory: More BDF file parsing > issues in libXfont > Date: Tue, 17 Mar 2015 08:08:33 -0700 > From: Alan Coopersmith <alan.coopersmith@...cle.com> > To: xorg-announce@...ts.x.org > CC: William Robinet <william.robinet@...ostix.com>, xorg@...ts.x.org, > xorg-devel@...ts.x.org, Ilja Van Sprundel <ivansprundel@...ctive.com> > > X.Org Security Advisory: March 17, 2015 > More BDF file parsing issues in libXfont > ======================================== > > Description: > ============ > > Ilja van Sprundel, a security researcher with IOActive, has discovered an > issue in the parsing of BDF font files by libXfont. Additional testing by > Alan Coopersmith and William Robinet with the American Fuzzy Lop (afl) tool > uncovered two more issues in the parsing of BDF font files. > > As libXfont is used by the X server to read font files, and an unprivileged > user with access to the X server can tell the X server to read a given font > file from a path of their choosing, these vulnerabilities have the > potential Can this be exploited by any current browser's web fonts implementation, or will this require local access? (Loading fonts from user-writeable ~/.fonts seems to be enabled by default.) > to allow unprivileged users to run code with the privileges of the X server > (often root access). > > The vulnerabilities are: > > - CVE-2015-1802: bdfReadProperties: property count needs range check > > The bdf parser reads a count for the number of properties defined in > a font from the font file, and allocates arrays with entries for each > property based on that count. It never checked to see if that count > was negative, or large enough to overflow when multiplied by the size > of the structures being allocated, and could thus allocate the wrong > buffer size, leading to out of bounds writes. > > - CVE-2015-1803: bdfReadCharacters: bailout if a char's bitmap cannot be > read > > If the bdf parser failed to parse the data for the bitmap for any > character, it would proceed with an invalid pointer to the bitmap > data and later crash when trying to read the bitmap from that pointer. > > - CVE-2015-1804: bdfReadCharacters: ensure metrics fit into xCharInfo > struct > > The bdf parser read metrics values as 32-bit integers, but stored > them into 16-bit integers. Overflows could occur in various operations > leading to out-of-bounds memory access. > > Affected Versions > ================= > > X.Org believes all prior versions of this library contain these flaws, > dating back to its introduction in X11R5. > > > Fixes > ===== > > Fixes are available in the patches for these libXfont git commits: > 2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e > 78c2e3d70d29698244f70164428bd2868c0ab34c > 2351c83a77a478b49cba6beb2ad386835e264744 > > Which are now available from: > git://anongit.freedesktop.org/git/xorg/lib/libXfont > http://cgit.freedesktop.org/xorg/lib/libXfont/ > > Fixes will also be included in the libXfont 1.5.1 & 1.4.9 module releases > from X.Org. > > Thanks > ====== > > X.Org thanks Ilja van Sprundel of IOActive, Alan Coopersmith of Oracle, and > William Robinet of Conostix for reporting these issues to our security team > and helping evaluate and test the fixes; and thanks Michal Zalewski and the > American Fuzzy Lop community for providing their fuzz testing tool as an > open > source project we can all benefit from at http://lcamtuf.coredump.cx/afl/ . > -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwedas@....at | +43 (0)680 301 7167 http://software.tao.at Download attachment "signature.asc" of type "application/pgp-signature" (649 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ