CVE-2007-1351 iDEFENSE BDF font integer overflow
CVE-2007-1352 iDEFENSE fonts.dir integer overflow
Multiple Vendor X Window System Server BDF Font Parsing Integer Overflow
iDEFENSE Security Advisory XX.XX.04
MMM DD, 2004
In short, XFree86 is an open source X11-based desktop infrastructure.
XFree86, provides a client/server interface between display hardware
(the mouse, keyboard, and video displays) and the desktop environment
while also providing both the windowing infrastructure and a
standardized application interface (API). XFree86 is platform
independent, network-transparent and extensible.
More information on XFree86 is available at:
Local exploitation of an integer overflow vulnerability in multiple
vendors' implementations of the X Window System server BDF font parsing
component could allow execution of arbitrary commands with elevated
The X Window System (or X11) server is a graphical interface commonly
used on Unix-like systems. The vulnerability specifically exists in the
parsing of BDF fonts. When the file specifies that there are more than
1,073,741,824 (2 to the power of 30) characters defined in the font
file, an exploitable heap overflow condition occurs.
As the X11 server requires direct access to video hardware, it runs with
elevated privileges. A user compromising an X server would gain those
In order to exploit this vulnerability, an attacker would need to be
able to cause the X server to use a maliciously constructed font. The
XFree86 X11 server contains multiple methods for a user to define
additional paths to look for fonts. An exploit has been developed using
the "-fp" command line option to the X11 server to pass the location of
the attack to the server. It is also possible to use "xset" command with
the "fp" option to perform an attack on an already running server.
Some distributions allow users to start the X11 server only if they are
logged on at the console, while others will allow any user to start it.
As it is possible to exploit this vulnerability from within a running
X11 server, any remote exploit against any program that runs in the X11
subsystem that allows execution of code as a local user may be able to
be converted from a Remote User exploit into a Remote Root exploit by
the addition of an exploit for this vulnerability.
Attempts at exploiting this vulnerability may put the console into an
unusable state. This will not prevent repeated exploitation attempts.
XFree86 4.40 and X.org's X11R6.8.0 have been confirmed vulnerable.
iDEFENSE is currently unaware of any effective workarounds for this
VI. VENDOR RESPONSE
[Quoted vendor response if available. Otherwise include vendor fix
VII. CVE INFORMATION
A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.
VIII. DISCLOSURE TIMELINE
12/13/2004 Initial vendor notification
XX/XX/2004 Initial vendor response
XX/XX/2004 Coordinated public disclosure
The discoverer of this vulnerability wishes to remain anonymous.
Get paid for vulnerability research
X. LEGAL NOTICES
Copyright 2004 iDEFENSE, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email firstname.lastname@example.org for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
Created attachment 114802 [details, diff]
Proposed upstream patch.
Created attachment 114804 [details]
No release date set, but I guess it could be sometime next week or the week after, perhaps even sooner.
CC'ing Chris to keep him up to speed.
Donnie please advise.
There doesn't appear to be an upstream bug for this yet. I can toss together an ebuild anytime, since it's a relatively trivial patch, but might as well wait until we know this is the final version and we have a release date.
Oh, and this definitely looks GLSA-worthy, as a local root compromise to running or newly started X servers.
Seems like there is another issue:
IDEF2212 - XC-MISC bug (X.Org) - CVE-2007-1003
Hopefully there is a patch somewhere. I'll check archives and attach it if possible.
Release date seems to be 03 April, but I'll update status whiteboard when I'm sure about it.
Mailed reporter about the patch for IDEF2212 - XC-MISC bug (X.Org) - CVE-2007-1003.
Rerating since this is local root compromise.
Created attachment 114864 [details, diff]
We now have patches for all issues.
Donnie please advise.
Yes, the xc-misc patch fixes another user-controlled parameter that can cause an overflow. Upstream (closed) bug for that issue is https://bugs.freedesktop.org/show_bug.cgi?id=10001.
I think it should be in upstream CVS now but haven't see any announcements yet.
Donnie could you take a look?
This is now public here:
And probably other places as well.
Donnie please provide an updated ebuild.
Pulling in complete herd.
Yeah, changes were pushed to 3 modules but there have been no releases.
xorg-server: CVE-2007-1003: XC-MISC Extension ProcXCMiscGetXIDList() Memory Corruption
libX11: CVE-2007-1667: Multiple integer overflows in the XGetPixel() and XInitImage functions
libXfont: Integer overflow vulnerabilities
CVE-2007-1351: BDFFont Parsing Integer Overflow
CVE-2007-1352: fonts.dir File Parsing Integer Overflow
Here's the security announcement, still no releases: http://lists.freedesktop.org/archives/xorg-announce/2007-April/000286.html
Looks like we'll have to just patch 'em in for now. I'll stick some ebuilds in CVS later..
Arches need to stable x11-base/xorg-server-1.1.1-r5 as well as one of x11-libs/libXfont-1.2.2-r1 or 1.2.7-r1.
Arches please test and mark stable as per comment #16.
ia64 + x86 stable
Stable on sparc (and everything is fine in the directory despite confusing CIA message). Required xorg-server version was already stable, so no action there. I note also that -1.2.8 is also good on sparc, and Changelog indicates it already has this fix.
Required version of xorg-server already stable on amd64, libXfont-1.2.7-r1 stabilized on amd64.
Stable for HPPA.
Stable on alpha.
GLSA 200705-10 with bug 174200 (tightvnc), thanks everybody.
1.3.0 is stable for mips.