Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 172575 - x11-libs/libXfont BDF Font Parsing and xc-misc Integer Overflow (CVE-2007-{135{1|2}|1003})
Summary: x11-libs/libXfont BDF Font Parsing and xc-misc Integer Overflow (CVE-2007-{13...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A1 [glsa] jaervosz
Keywords:
Depends on:
Blocks: 173438
  Show dependency tree
 
Reported: 2007-03-28 17:27 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2007-11-20 05:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
libXfontIDEF739IDEF741.diff (libXfontIDEF739IDEF741.diff,1.50 KB, patch)
2007-03-28 17:28 UTC, Sune Kloppenborg Jeppesen (RETIRED)
no flags Details | Diff
reproducer-font.bdf (font.bdf,355.90 KB, text/plain)
2007-03-28 17:29 UTC, Sune Kloppenborg Jeppesen (RETIRED)
no flags Details
xcmisc.diff (xcmisc.diff,1.05 KB, patch)
2007-03-29 13:59 UTC, Sune Kloppenborg Jeppesen (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-28 17:27:29 UTC
CVE-2007-1351 iDEFENSE BDF font integer overflow
CVE-2007-1352 iDEFENSE fonts.dir integer overflow

Draft advisory:

Multiple Vendor X Window System Server BDF Font Parsing Integer Overflow 
Vulnerability 

iDEFENSE Security Advisory XX.XX.04
http://www.idefense.com/application/poi/display?type=vulnerabilities
MMM DD, 2004

I. BACKGROUND

In short, XFree86 is an open source X11-based desktop infrastructure.

XFree86, provides a client/server interface between display hardware 
(the mouse, keyboard, and video displays) and the desktop environment 
while also providing both the windowing infrastructure and a 
standardized application interface (API). XFree86 is platform 
independent, network-transparent and extensible.

More information on XFree86 is available at:
 http://www.xfree86.org/


II. DESCRIPTION

Local exploitation of an integer overflow vulnerability in multiple 
vendors' implementations of the X Window System server BDF font parsing 
component could allow execution of arbitrary commands with elevated 
privileges.

The X Window System (or X11) server is a graphical interface commonly 
used on Unix-like systems. The vulnerability specifically exists in the 
parsing of BDF fonts. When the file specifies that there are more than 
1,073,741,824 (2 to the power of 30) characters defined in the font 
file, an exploitable heap overflow condition occurs.

III. ANALYSIS

As the X11 server requires direct access to video hardware, it runs with 
elevated privileges. A user compromising an X server would gain those 
permissions.

In order to exploit this vulnerability, an attacker would need to be 
able to cause the X server to use a maliciously constructed font. The 
XFree86 X11 server contains multiple methods for a user to define 
additional paths to look for fonts. An exploit has been developed using 
the "-fp" command line option to the X11 server to pass the location of 
the attack to the server. It is also possible to use "xset" command with 
the "fp" option to perform an attack on an already running server.

Some distributions allow users to start the X11 server only if they are 
logged on at the console, while others will allow any user to start it.

As it is possible to exploit this vulnerability from within a running 
X11 server, any remote exploit against any program that runs in the X11 
subsystem that allows execution of code as a local user may be able to 
be converted from a Remote User exploit into a Remote Root exploit by 
the addition of an exploit for this vulnerability.

Attempts at exploiting this vulnerability may put the console into an 
unusable state. This will not prevent repeated exploitation attempts.

IV. DETECTION

XFree86 4.40 and X.org's X11R6.8.0 have been confirmed vulnerable.

V. WORKAROUND

iDEFENSE is currently unaware of any effective workarounds for this 
issue.

VI. VENDOR RESPONSE

[Quoted vendor response if available. Otherwise include vendor fix
details.]

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

12/13/2004  Initial vendor notification
XX/XX/2004  Initial vendor response
XX/XX/2004  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright  2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-28 17:28:28 UTC
Created attachment 114802 [details, diff]
libXfontIDEF739IDEF741.diff

Proposed upstream patch.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-28 17:29:14 UTC
Created attachment 114804 [details]
reproducer-font.bdf
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-28 17:36:05 UTC
No release date set, but I guess it could be sometime next week or the week after, perhaps even sooner.

CC'ing Chris to keep him up to speed.

Donnie please advise.
Comment 4 Donnie Berkholz (RETIRED) gentoo-dev 2007-03-28 18:31:09 UTC
There doesn't appear to be an upstream bug for this yet. I can toss together an ebuild anytime, since it's a relatively trivial patch, but might as well wait until we know this is the final version and we have a release date.
Comment 5 Donnie Berkholz (RETIRED) gentoo-dev 2007-03-28 18:33:36 UTC
Oh, and this definitely looks GLSA-worthy, as a local root compromise to running or newly started X servers.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-28 20:22:14 UTC
Seems like there is another issue:

IDEF2212 - XC-MISC bug (X.Org) - CVE-2007-1003

Hopefully there is a patch somewhere. I'll check archives and attach it if possible.

Release date seems to be 03 April, but I'll update status whiteboard when I'm sure about it.
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-28 21:39:30 UTC
Mailed reporter about the patch for IDEF2212 - XC-MISC bug (X.Org) - CVE-2007-1003.

Rerating since this is local root compromise.
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-29 13:59:55 UTC
Created attachment 114864 [details, diff]
xcmisc.diff
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-29 14:00:29 UTC
We now have patches for all issues.

Donnie please advise.
Comment 10 Donnie Berkholz (RETIRED) gentoo-dev 2007-03-29 18:06:02 UTC
Yes, the xc-misc patch fixes another user-controlled parameter that can cause an overflow. Upstream (closed) bug for that issue is https://bugs.freedesktop.org/show_bug.cgi?id=10001.
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-03 14:58:43 UTC
I think it should be in upstream CVS now but haven't see any announcements yet.

Donnie could you take a look?
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-04 06:30:01 UTC
This is now public here:

https://issues.rpath.com/browse/RPL-1213

And probably other places as well.

Donnie please provide an updated ebuild.
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-04 06:43:25 UTC
Pulling in complete herd.
Comment 14 Donnie Berkholz (RETIRED) gentoo-dev 2007-04-04 07:24:36 UTC
Yeah, changes were pushed to 3 modules but there have been no releases.

xorg-server: CVE-2007-1003: XC-MISC Extension ProcXCMiscGetXIDList() Memory Corruption

libX11: CVE-2007-1667: Multiple integer overflows in the XGetPixel() and XInitImage functions

libXfont: Integer overflow vulnerabilities    
    CVE-2007-1351: BDFFont Parsing Integer Overflow
    CVE-2007-1352: fonts.dir File Parsing Integer Overflow
Comment 15 Donnie Berkholz (RETIRED) gentoo-dev 2007-04-04 07:44:50 UTC
Here's the security announcement, still no releases: http://lists.freedesktop.org/archives/xorg-announce/2007-April/000286.html

Looks like we'll have to just patch 'em in for now. I'll stick some ebuilds in CVS later..
Comment 16 Donnie Berkholz (RETIRED) gentoo-dev 2007-04-05 07:03:34 UTC
Arches need to stable x11-base/xorg-server-1.1.1-r5 as well as one of x11-libs/libXfont-1.2.2-r1 or 1.2.7-r1.
Comment 17 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-11 10:10:19 UTC
Thx Donnie.

Arches please test and mark stable as per comment #16.
Comment 18 Raúl Porcel (RETIRED) gentoo-dev 2007-04-11 11:40:47 UTC
libXfont-1.2.7-r1.ebuild:

ia64 + x86 stable
Comment 19 Ferris McCormick (RETIRED) gentoo-dev 2007-04-11 11:55:16 UTC
Stable on sparc (and everything is fine in the directory despite confusing CIA message).  Required xorg-server version was already stable, so no action there.  I note also that -1.2.8 is also good on sparc, and Changelog indicates it already has this fix.
Comment 20 Peter Weller (RETIRED) gentoo-dev 2007-04-11 12:55:01 UTC
Required version of xorg-server already stable on amd64, libXfont-1.2.7-r1 stabilized on amd64.
Comment 21 Markus Rothe (RETIRED) gentoo-dev 2007-04-11 14:12:56 UTC
ppc64 stable
Comment 22 Tobias Scherbaum (RETIRED) gentoo-dev 2007-04-11 19:50:36 UTC
ppc stable
Comment 23 Jeroen Roovers (RETIRED) gentoo-dev 2007-04-12 08:12:34 UTC
Stable for HPPA.
Comment 24 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-04-17 11:26:24 UTC
Stable on alpha.
Comment 25 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-05-08 20:06:10 UTC
GLSA 200705-10 with bug 174200 (tightvnc), thanks everybody.
Comment 26 Joshua Kinard gentoo-dev 2007-11-20 05:36:44 UTC
1.3.0 is stable for mips.