Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 17 Mar 2015 08:56:24 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
CC: Sven Schwedas <sven.schwedas@....at>,
        "X.Org Security Team" <xorg-security@...ts.x.org>
Subject: Re: Fwd: [ANNOUNCE] X.Org Security Advisory: More
 BDF file parsing issues in libXfont

On 03/17/15 08:18 AM, Sven Schwedas wrote:
> On 2015-03-17 16:11, Alan Coopersmith wrote:
>> As libXfont is used by the X server to read font files, and an unprivileged
>> user with access to the X server can tell the X server to read a given font
>> file from a path of their choosing, these vulnerabilities have the
>> potential
>
> Can this be exploited by any current browser's web fonts implementation,
> or will this require local access? (Loading fonts from user-writeable
> ~/.fonts seems to be enabled by default.)

I am not aware of any current browser which meets any of these criteria,
much less all of them:
  - supports the ancient BDF bitmap font format in its webfonts, instead of
    scalable font formats such as OpenType, TrueType, or Postscript Type 1.
  - uses the old X server-side font technology instead of rendering on
    the client side, where it can do complex text layout & antialiasing
  - downloads a BDF font from a website, stores to a local directory,
    runs mkfontdir in that directory, and adds it to the X font path.

The primary exploit path X.Org is aware of these would be a local user who
can login to an X session already, running "xset +fp" to add a directory
under their control to the font path of that X server in order to execute
code with the privileges of the X server (often root).

-- 
	-Alan Coopersmith-              alan.coopersmith@...cle.com
	  X.Org Security Response Team - xorg-security@...ts.x.org

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ