Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC

Bug 510250 (CVE-2014-0209)

Summary: <x11-libs/libXfont-1.4.8 integer overflow, unchecked buffer (CVE-2014-{0209,0210,0211})
Product: Gentoo Security Reporter: Chí-Thanh Christopher Nguyễn <chithanh>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: critical CC: x11
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://lists.x.org/archives/xorg-announce/2014-May/002431.html
Whiteboard: A1 [glsa]
Package list:
Runtime testing required: ---

Description Chí-Thanh Christopher Nguyễn gentoo-dev 2014-05-13 16:46:41 UTC
X.Org Security Advisory:  May 13, 2014
X Font Service Protocol & Font metadata file handling issues in libXfont
========================================================================

Description:
============

Ilja van Sprundel, a security researcher with IOActive, has discovered
several issues in the way the libXfont library handles the responses 
it receives from xfs servers, and has worked with X.Org's security team 
to analyze, confirm, and fix these issues.

Most of these issues stem from libXfont trusting the font server to send
valid protocol data, and not verifying that the values will not overflow 
or cause other damage.   This code is commonly called from the X server 
when an X Font Server is active in the font path, so may be running in a 
setuid-root process depending on the X server in use.  Exploits of this
path could be used by a local, authenticated user to attempt to raise
privileges; or by a remote attacker who can control the font server to
attempt to execute code with the privileges of the X server.  (CVE-2014-XXXA
is the exception, as it does not involve communication with a font server,
as explained below.)

The vulnerabilities are:

- CVE-2014-0209: integer overflow of allocations in font metadata file parsing

    When a local user who is already authenticated to the X server adds
    a new directory to the font path, the X server calls libXfont to open
    the fonts.dir and fonts.alias files in that directory and add entries
    to the font tables for every line in it.  A large file (~2-4 gb) could
    cause the allocations to overflow, and allow the remaining data read 
    from the file to overwrite other memory in the heap.

    Affected functions: FontFileAddEntry(), lexAlias()

- CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies

    When parsing replies received from the font server, these calls do not
    check that the lengths and/or indexes returned by the font server are
    within the size of the reply or the bounds of the memory allocated to
    store the data, so could write past the bounds of allocated memory when
    storing the returned data.

    Affected functions: _fs_recv_conn_setup(), fs_read_open_font(),
    fs_read_query_info(), fs_read_extent_info(), fs_read_glyphs(),
    fs_read_list(), fs_read_list_info()

- CVE-2014-0211: integer overflows calculating memory needs for xfs replies

    These calls do not check that their calculations for how much memory
    is needed to handle the returned data have not overflowed, so can
    result in allocating too little memory and then writing the returned
    data past the end of the allocated buffer.

    Affected functions: fs_get_reply(), fs_alloc_glyphs(),
    fs_read_extent_info()

Affected Versions
=================

X.Org believes all prior versions of this library contain these flaws,
dating back to its introduction in X11R5.
Comment 1 Chí-Thanh Christopher Nguyễn gentoo-dev 2014-05-18 11:01:02 UTC
Arches, please stabilize x11-libs/libXfont-1.4.8

Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 2 Jeroen Roovers gentoo-dev 2014-05-18 16:59:13 UTC
Stable for HPPA.
Comment 3 Agostino Sarubbo gentoo-dev 2014-05-24 09:04:56 UTC
amd64 stable
Comment 4 Markus Meier gentoo-dev 2014-05-25 18:55:13 UTC
arm stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-06-08 10:32:48 UTC
alpha stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-06-08 10:42:07 UTC
ia64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-06-08 10:45:44 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-06-08 10:49:06 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-06-08 10:51:41 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-06-08 10:55:48 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev Security 2014-06-10 01:39:58 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version.

New GLSA Request filed.
Comment 12 Chí-Thanh Christopher Nguyễn gentoo-dev 2014-06-10 08:02:47 UTC
The vulnerable version has been removed from the tree.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2014-06-13 22:32:11 UTC
CVE-2014-0211 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0211):
  Multiple integer overflows in the (1) fs_get_reply, (2) fs_alloc_glyphs, and
  (3) fs_read_extent_info functions in X.Org libXfont before 1.4.8 and 1.4.9x
  before 1.4.99.901 allow remote font servers to execute arbitrary code via a
  crafted xfs reply, which triggers a buffer overflow.

CVE-2014-0210 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0210):
  Multiple buffer overflows in X.Org libXfont before 1.4.8 and 1.4.9x before
  1.4.99.901 allow remote font servers to execute arbitrary code via a crafted
  xfs protocol reply to the (1) _fs_recv_conn_setup, (2) fs_read_open_font,
  (3) fs_read_query_info, (4) fs_read_extent_info, (5) fs_read_glyphs, (6)
  fs_read_list, or (7) fs_read_list_info function.

CVE-2014-0209 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0209):
  Multiple integer overflows in the (1) FontFileAddEntry and (2) lexAlias
  functions in X.Org libXfont before 1.4.8 and 1.4.9x before 1.4.99.901 might
  allow local users to gain privileges by adding a directory with a large
  fonts.dir or fonts.alias file to the font path, which triggers a heap-based
  buffer overflow, related to metadata.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2014-06-14 09:15:07 UTC
This issue was resolved and addressed in
 GLSA 201406-11 at http://security.gentoo.org/glsa/glsa-201406-11.xml
by GLSA coordinator Mikle Kolyada (Zlogene).