Received: from ucsinet22.oracle.com (/156.151.31.94)
	by default (Oracle Beehive Gateway v4.0)
	with ESMTP ; Tue, 07 Jan 2014 08:45:26 -0800
Received: from aserp1030.oracle.com (aserp1030.oracle.com [141.146.126.68])
	by ucsinet22.oracle.com (8.14.5+Sun/8.14.5) with ESMTP id s07GjPW4005453
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL)
	for <alan.coopersmith@oracle.com>; Tue, 7 Jan 2014 16:45:25 GMT
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	by aserp1030.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id s07GjO1d024214
	for <alan.coopersmith@oracle.com>; Tue, 7 Jan 2014 16:45:24 GMT
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id E8D99FAE34
	for <alan.coopersmith@oracle.com>; Tue,  7 Jan 2014 08:45:23 -0800 (PST)
X-Original-To: xorg@lists.freedesktop.org
Delivered-To: xorg@lists.freedesktop.org
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69])
	by gabe.freedesktop.org (Postfix) with ESMTP id 988A9FA52A;
	Tue,  7 Jan 2014 08:43:27 -0800 (PST)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238])
	by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with
	ESMTP id s07GhQxT003095
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Tue, 7 Jan 2014 16:43:26 GMT
Received: from jurassic.us.oracle.com (jurassic.us.oracle.com [10.134.8.79])
	by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
	s07GhPMQ025268
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL);
	Tue, 7 Jan 2014 16:43:25 GMT
Received: from also.us.oracle.com (also.us.oracle.com [10.132.136.78])
	by jurassic.us.oracle.com (8.14.7+Sun/8.14.7) with ESMTP id
	s07GhNg2165603
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Tue, 7 Jan 2014 08:43:24 -0800 (PST)
Date: Tue, 7 Jan 2014 08:43:23 -0800
From: Alan Coopersmith <alan.coopersmith@oracle.com>
To: xorg-announce@lists.freedesktop.org
Subject: X.Org Security Advisory: CVE-2013-6462: Stack buffer overflow in
	parsing of BDF font files in libXfont
Message-ID: <20140107164323.GA7851@also.us.oracle.com>
MIME-Version: 1.0
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: xorg@lists.freedesktop.org
X-BeenThere: xorg@lists.x.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "X.Org user support and discussion" <xorg.lists.x.org>
List-Unsubscribe: <http://lists.x.org/mailman/options/xorg>,
	<mailto:xorg-request@lists.x.org?subject=unsubscribe>
List-Archive: <http://lists.x.org/archives/xorg>
List-Post: <mailto:xorg@lists.x.org>
List-Help: <mailto:xorg-request@lists.x.org?subject=help>
List-Subscribe: <http://lists.x.org/mailman/listinfo/xorg>,
	<mailto:xorg-request@lists.x.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1223104819=="
Sender: xorg-bounces+alan.coopersmith=oracle.com@lists.x.org
Errors-To: xorg-bounces+alan.coopersmith=oracle.com@lists.x.org
X-Flow-Control-Info: class=Pass-to-MM reputation=ipRisk-All
	ip=131.252.210.177 ct-class=R5 ct-vol1=-98 ct-vol2=6 ct-vol3=5
	ct-risk=42 ct-spam1=67 ct-spam2=5 ct-bulk=70 rcpts=1 size=5546
X-Source-IP: gabe.freedesktop.org [131.252.210.177]
X-Sendmail-CM-Score: 0.00%
X-Sendmail-CM-Analysis: v=2.1 cv=L40kHYj8 c=1 sm=1 tr=0 a=NZLgQZmgF9XIoAvTQ72Ilw==:117 a=NZLgQZmgF9XIoAvTQ72Ilw==:17 a=LcaDllckn3IA:10 a=J6aArJPU6skA:10 a=dPGociXpb70A:10 a=aR16PxjQAAAA:8 a=yPCof4ZbAAAA:8 a=e5mUnYsNAAAA:8 a=dJR_W-FfBLMA:10 a=FP58Ms26AAAA:8 a=o0
	KEQXneg_-EhQ-UkjQA:9 a=CjuIK1q_8ugA:10 a=TRaWWqdqQ4oA:10 a=CiSHi91Bn78A:10 a=7DSvI1NPTFQA:10 a=t-IPkPogAAAA:8 a=90SK4IVTo3AQNjZwdrIA:9 a=1m2o3fkUcNwA:10 a=loJKWqmjfkuZrojptWcA:9 a=ruxCwnRDuEu6A0ZKiDwA:9 a=OrDLJIC23KcA:10 a=uhwv0vWWZgcA:10 a=p68zyZi0QmQA
	:10
X-Sendmail-CT-Classification: not spam
X-Sendmail-CT-RefID: str=0001.0A090205.52CC2F25.0048:SCCMAW1173,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0


--===============1223104819==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="CUfgB8w4ZwR/yMy5"
Content-Disposition: inline


--CUfgB8w4ZwR/yMy5
Content-Type: multipart/mixed; boundary="tThc/1wpZn/ma/RB"
Content-Disposition: inline


--tThc/1wpZn/ma/RB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

X.Org Security Advisory: January 7, 2014 - CVE-2013-6462
Stack buffer overflow in parsing of BDF font files in libXfont
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Description:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Scanning of the libXfont sources with the cppcheck static analyzer
included a report of:

  [lib/libXfont/src/bitmap/bdfread.c:341]: (warning)
      scanf without field width limits can crash with huge input data.

Evaluation of this report by X.Org developers concluded that a BDF font
file containing a longer than expected string could overflow the buffer
on the stack.  Testing in X servers built with Stack Protector resulted
in an immediate crash when reading a user-provided specially crafted font.

As libXfont is used to read user-specified font files in all X servers
distributed by X.Org, including the Xorg server which is often run with
root privileges or as setuid-root in order to access hardware, this bug
may lead to an unprivileged user acquiring root privileges in some systems.

Affected Versions
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

This bug appears to have been introduced in the initial RCS version 1.1
checked in on 1991/05/10, and is thus believed to be present in every X11
release starting with X11R5 up to the current libXfont 1.4.6.
(Manual inspection shows it is present in the sources from the X11R5=20
 tarballs, but not in those from the X11R4 tarballs.)

Fixes
=3D=3D=3D=3D=3D

A fix is available via the attached patch, which is also included in=20
libXfont 1.4.7, released today, and available in the libXfont git repo:
http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=3D4d024ac10f964f6b=
d372ae0dd14f02772a6e5f63

Thanks
=3D=3D=3D=3D=3D=3D

X.Org thanks the authors of the cppcheck tool for making their static
analyzer available as an open source project we can all benefit from.
http://cppcheck.sourceforge.net/

--=20
    -Alan Coopersmith-              alan.coopersmith@oracle.com
      X.Org Security Response Team - xorg-security@lists.x.org

--tThc/1wpZn/ma/RB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="0001-CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch"
Content-Transfer-Encoding: quoted-printable

=46rom 4d024ac10f964f6bd372ae0dd14f02772a6e5f63 Mon Sep 17 00:00:00 2001
=46rom: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Mon, 23 Dec 2013 18:34:02 -0800
Subject: [PATCH:libXfont] CVE-2013-6462: unlimited sscanf overflows stack
 buffer in bdfReadCharacters()

Fixes cppcheck warning:
 [lib/libXfont/src/bitmap/bdfread.c:341]: (warning)
  scanf without field width limits can crash with huge input data.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
---
 src/bitmap/bdfread.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
index e2770dc..e11c5d2 100644
--- a/src/bitmap/bdfread.c
+++ b/src/bitmap/bdfread.c
@@ -338,7 +338,7 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfF=
ileState *pState,
 	char        charName[100];
 	int         ignore;
=20
-	if (sscanf((char *) line, "STARTCHAR %s", charName) !=3D 1) {
+	if (sscanf((char *) line, "STARTCHAR %99s", charName) !=3D 1) {
 	    bdfError("bad character name in BDF file\n");
 	    goto BAILOUT;	/* bottom of function, free and return error */
 	}
--=20
1.7.9.2


--tThc/1wpZn/ma/RB--

--CUfgB8w4ZwR/yMy5
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (SunOS)

iQIcBAEBCgAGBQJSzC6pAAoJEM/fFIgoxkKnr7UP/RceDId3i9zCuyr9TKbw8nff
jzTjsp1dF3sChYAWSLi+PYXm1yKXqdVN/djWT4oihuqacNpXgRQJoG3mdA3EIaZN
CxrQbaiLX44YjDN6EVp1quXxTav69HeiLDMQFDF9DtMz4gje97Su2wRvKsUlnO6j
l7jxwCFO/3Y1kQiyW2PcEF7YRwswoB+IzCE9MWheRr2L1ziaLAacS4U3E+FrPHt0
j67TxeJ5mHB58poonlAIJqn6BvQwA+YrfHy6q96kYFPHTIZ+dR1qyIlGDErQtWcj
idt2MoOXwNmXojh35ZkQNV00JlnhffYE5tiLMYpASj3GD1MWOXBPaSM/2xbH5wfA
HQszvdhWDV7auaCN7+wfodZ80NHFE3SaEYjpuu2O1KhQxd7cLtAjHXVR3gu8OKAf
6+z4a6z1dBnHs+rVAxuGXqr+YaWlTMnTK4YW52ylMRRB25iloEIdsf6fal17F66o
D5e6XpX0aZyNMr6rt6k6qMtqVx7j72jozgEabyj0yHSbFIcIHcMyakTd/F1INeKe
Gu4Ha6AQbbWvD/wUQPtvIytX/EJS8Yuv+E9lJCHCw/vtum136XtpsOdB9LTOgazC
tjZgrsKiv1qV6KoXU+J83fMsp0pw0ws3+F1yYpfq2RXk3vZi6ol19Egj0PQVmW4w
hJ//vVMrACEpnMJM3dMt
=Judj
-----END PGP SIGNATURE-----

--CUfgB8w4ZwR/yMy5--

--===============1223104819==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
xorg@lists.x.org: X.Org support
Archives: http://lists.freedesktop.org/archives/xorg
Info: http://lists.x.org/mailman/listinfo/xorg
Your subscription address: alan.coopersmith@oracle.com
--===============1223104819==--