Date: Tue, 17 Mar 2015 08:56:24 -0700 From: Alan Coopersmith <alan.coopersmith@...cle.com> To: oss-security@...ts.openwall.com CC: Sven Schwedas <sven.schwedas@....at>, "X.Org Security Team" <xorg-security@...ts.x.org> Subject: Re: Fwd: [ANNOUNCE] X.Org Security Advisory: More BDF file parsing issues in libXfont On 03/17/15 08:18 AM, Sven Schwedas wrote: > On 2015-03-17 16:11, Alan Coopersmith wrote: >> As libXfont is used by the X server to read font files, and an unprivileged >> user with access to the X server can tell the X server to read a given font >> file from a path of their choosing, these vulnerabilities have the >> potential > > Can this be exploited by any current browser's web fonts implementation, > or will this require local access? (Loading fonts from user-writeable > ~/.fonts seems to be enabled by default.) I am not aware of any current browser which meets any of these criteria, much less all of them: - supports the ancient BDF bitmap font format in its webfonts, instead of scalable font formats such as OpenType, TrueType, or Postscript Type 1. - uses the old X server-side font technology instead of rendering on the client side, where it can do complex text layout & antialiasing - downloads a BDF font from a website, stores to a local directory, runs mkfontdir in that directory, and adds it to the X font path. The primary exploit path X.Org is aware of these would be a local user who can login to an X session already, running "xset +fp" to add a directory under their control to the font path of that X server in order to execute code with the privileges of the X server (often root). -- -Alan Coopersmith- alan.coopersmith@...cle.com X.Org Security Response Team - xorg-security@...ts.x.org
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ