Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 543620 (CVE-2015-1802) - <x11-libs/libXfont-{1.4.9,1.5.1}: BDF file parsing issues (CVE-2015-{1802,1803,1804})
Summary: <x11-libs/libXfont-{1.4.9,1.5.1}: BDF file parsing issues (CVE-2015-{1802,180...
Status: RESOLVED FIXED
Alias: CVE-2015-1802
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-03-17 15:19 UTC by Agostino Sarubbo
Modified: 2015-07-22 15:52 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-03-17 15:19:00 UTC
From ${URL} :

Description:
============

Ilja van Sprundel, a security researcher with IOActive, has discovered an
issue in the parsing of BDF font files by libXfont.  Additional testing by
Alan Coopersmith and William Robinet with the American Fuzzy Lop (afl) tool
uncovered two more issues in the parsing of BDF font files.

As libXfont is used by the X server to read font files, and an unprivileged
user with access to the X server can tell the X server to read a given font
file from a path of their choosing, these vulnerabilities have the potential
to allow unprivileged users to run code with the privileges of the X server
(often root access).

The vulnerabilities are:

- CVE-2015-1802: bdfReadProperties: property count needs range check

     The bdf parser reads a count for the number of properties defined in
     a font from the font file, and allocates arrays with entries for each
     property based on that count.  It never checked to see if that count
     was negative, or large enough to overflow when multiplied by the size
     of the structures being allocated, and could thus allocate the wrong
     buffer size, leading to out of bounds writes.

- CVE-2015-1803: bdfReadCharacters: bailout if a char's bitmap cannot be read

     If the bdf parser failed to parse the data for the bitmap for any
     character, it would proceed with an invalid pointer to the bitmap
     data and later crash when trying to read the bitmap from that pointer.

- CVE-2015-1804: bdfReadCharacters: ensure metrics fit into xCharInfo struct

     The bdf parser read metrics values as 32-bit integers, but stored
     them into 16-bit integers.  Overflows could occur in various operations
     leading to out-of-bounds memory access.

Affected Versions
=================

X.Org believes all prior versions of this library contain these flaws,
dating back to its introduction in X11R5.


Fixes
=====

Fixes are available in the patches for these libXfont git commits:
       2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e
       78c2e3d70d29698244f70164428bd2868c0ab34c
       2351c83a77a478b49cba6beb2ad386835e264744

Which are now available from:
       git://anongit.freedesktop.org/git/xorg/lib/libXfont
       http://cgit.freedesktop.org/xorg/lib/libXfont/

Fixes will also be included in the libXfont 1.5.1 & 1.4.9 module releases
from X.Org.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Matt Turner gentoo-dev 2015-03-17 18:19:46 UTC
I've added 1.5.1 to the tree. I have not added 1.4.9 since it requires an old fontsproto. I'm not sure whether we should add it, or just drop old fontsproto and libXfont-1.4.8*.

The changes between 1.5.0 and 1.5.1 are really trivial. Copying the keywords directly from 1.5.0 without bothering arch teams seems compelling.
Comment 2 Chí-Thanh Christopher Nguyễn gentoo-dev 2015-03-17 19:29:22 UTC
I added libXfont-1.4.9 too as it is required for xorg-server-1.15 and older.
Comment 3 Agostino Sarubbo gentoo-dev 2015-03-18 14:24:54 UTC
Arches, please test and mark stable:                                                                                                                                                                                                                                           
=x11-libs/libXfont-1.4.9
=x11-libs/libXfont-1.5.1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 4 Andreas Schürch gentoo-dev 2015-03-18 20:50:36 UTC
x86 done
Comment 5 Agostino Sarubbo gentoo-dev 2015-03-19 10:02:52 UTC
amd64 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2015-03-19 18:12:18 UTC
Stable for HPPA.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2015-03-20 23:05:26 UTC
CVE-2015-1802 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1802):
  The bdfReadProperties function in bitmap/bdfread.c in X.Org libXfont before
  1.4.9 and 1.5.x before 1.5.1 allows remote authenticated users to cause a
  denial of service (out-of-bounds write and crash) or possibly execute
  arbitrary code via a (1) negative or (2) large property count in a BDF font
  file.
Comment 8 Agostino Sarubbo gentoo-dev 2015-03-25 16:07:20 UTC
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-03-26 11:22:31 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-03-26 11:29:39 UTC
ppc64 stable
Comment 11 Markus Meier gentoo-dev 2015-03-28 06:59:45 UTC
arm stable
Comment 12 Agostino Sarubbo gentoo-dev 2015-03-30 09:58:23 UTC
sparc stable
Comment 13 Agostino Sarubbo gentoo-dev 2015-03-30 10:07:41 UTC
alpha stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 14 Chí-Thanh Christopher Nguyễn gentoo-dev 2015-03-30 10:29:36 UTC
Vulnerable versions have been removed from the tree.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2015-04-04 15:16:42 UTC
CVE-2015-1804 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1804):
  The bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont before
  1.4.9 and 1.5.x before 1.5.1 does not properly perform type conversion for
  metrics values, which allows remote authenticated users to cause a denial of
  service (out-of-bounds memory access) and possibly execute arbitrary code
  via a crafted BDF font file.

CVE-2015-1803 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1803):
  The bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont before
  1.4.9 and 1.5.x before 1.5.1 does not properly handle character bitmaps it
  cannot read, which allows remote authenticated users to cause a denial of
  service (NULL pointer dereference and crash) and possibly execute arbitrary
  code via a crafted BDF font file.
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2015-04-04 15:18:18 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: Yes
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2015-04-04 15:23:14 UTC
New GLSA Request filed.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2015-07-22 15:52:48 UTC
This issue was resolved and addressed in
 GLSA 201507-21 at https://security.gentoo.org/glsa/201507-21
by GLSA coordinator Mikle Kolyada (Zlogene).