CVE-2007-1351 iDEFENSE BDF font integer overflow CVE-2007-1352 iDEFENSE fonts.dir integer overflow Draft advisory: Multiple Vendor X Window System Server BDF Font Parsing Integer Overflow Vulnerability iDEFENSE Security Advisory XX.XX.04 http://www.idefense.com/application/poi/display?type=vulnerabilities MMM DD, 2004 I. BACKGROUND In short, XFree86 is an open source X11-based desktop infrastructure. XFree86, provides a client/server interface between display hardware (the mouse, keyboard, and video displays) and the desktop environment while also providing both the windowing infrastructure and a standardized application interface (API). XFree86 is platform independent, network-transparent and extensible. More information on XFree86 is available at: http://www.xfree86.org/ II. DESCRIPTION Local exploitation of an integer overflow vulnerability in multiple vendors' implementations of the X Window System server BDF font parsing component could allow execution of arbitrary commands with elevated privileges. The X Window System (or X11) server is a graphical interface commonly used on Unix-like systems. The vulnerability specifically exists in the parsing of BDF fonts. When the file specifies that there are more than 1,073,741,824 (2 to the power of 30) characters defined in the font file, an exploitable heap overflow condition occurs. III. ANALYSIS As the X11 server requires direct access to video hardware, it runs with elevated privileges. A user compromising an X server would gain those permissions. In order to exploit this vulnerability, an attacker would need to be able to cause the X server to use a maliciously constructed font. The XFree86 X11 server contains multiple methods for a user to define additional paths to look for fonts. An exploit has been developed using the "-fp" command line option to the X11 server to pass the location of the attack to the server. It is also possible to use "xset" command with the "fp" option to perform an attack on an already running server. Some distributions allow users to start the X11 server only if they are logged on at the console, while others will allow any user to start it. As it is possible to exploit this vulnerability from within a running X11 server, any remote exploit against any program that runs in the X11 subsystem that allows execution of code as a local user may be able to be converted from a Remote User exploit into a Remote Root exploit by the addition of an exploit for this vulnerability. Attempts at exploiting this vulnerability may put the console into an unusable state. This will not prevent repeated exploitation attempts. IV. DETECTION XFree86 4.40 and X.org's X11R6.8.0 have been confirmed vulnerable. V. WORKAROUND iDEFENSE is currently unaware of any effective workarounds for this issue. VI. VENDOR RESPONSE [Quoted vendor response if available. Otherwise include vendor fix details.] VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 12/13/2004 Initial vendor notification XX/XX/2004 Initial vendor response XX/XX/2004 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Created attachment 114802 [details, diff] libXfontIDEF739IDEF741.diff Proposed upstream patch.
Created attachment 114804 [details] reproducer-font.bdf
No release date set, but I guess it could be sometime next week or the week after, perhaps even sooner. CC'ing Chris to keep him up to speed. Donnie please advise.
There doesn't appear to be an upstream bug for this yet. I can toss together an ebuild anytime, since it's a relatively trivial patch, but might as well wait until we know this is the final version and we have a release date.
Oh, and this definitely looks GLSA-worthy, as a local root compromise to running or newly started X servers.
Seems like there is another issue: IDEF2212 - XC-MISC bug (X.Org) - CVE-2007-1003 Hopefully there is a patch somewhere. I'll check archives and attach it if possible. Release date seems to be 03 April, but I'll update status whiteboard when I'm sure about it.
Mailed reporter about the patch for IDEF2212 - XC-MISC bug (X.Org) - CVE-2007-1003. Rerating since this is local root compromise.
Created attachment 114864 [details, diff] xcmisc.diff
We now have patches for all issues. Donnie please advise.
Yes, the xc-misc patch fixes another user-controlled parameter that can cause an overflow. Upstream (closed) bug for that issue is https://bugs.freedesktop.org/show_bug.cgi?id=10001.
I think it should be in upstream CVS now but haven't see any announcements yet. Donnie could you take a look?
This is now public here: https://issues.rpath.com/browse/RPL-1213 And probably other places as well. Donnie please provide an updated ebuild.
Pulling in complete herd.
Yeah, changes were pushed to 3 modules but there have been no releases. xorg-server: CVE-2007-1003: XC-MISC Extension ProcXCMiscGetXIDList() Memory Corruption libX11: CVE-2007-1667: Multiple integer overflows in the XGetPixel() and XInitImage functions libXfont: Integer overflow vulnerabilities CVE-2007-1351: BDFFont Parsing Integer Overflow CVE-2007-1352: fonts.dir File Parsing Integer Overflow
Here's the security announcement, still no releases: http://lists.freedesktop.org/archives/xorg-announce/2007-April/000286.html Looks like we'll have to just patch 'em in for now. I'll stick some ebuilds in CVS later..
Arches need to stable x11-base/xorg-server-1.1.1-r5 as well as one of x11-libs/libXfont-1.2.2-r1 or 1.2.7-r1.
Thx Donnie. Arches please test and mark stable as per comment #16.
libXfont-1.2.7-r1.ebuild: ia64 + x86 stable
Stable on sparc (and everything is fine in the directory despite confusing CIA message). Required xorg-server version was already stable, so no action there. I note also that -1.2.8 is also good on sparc, and Changelog indicates it already has this fix.
Required version of xorg-server already stable on amd64, libXfont-1.2.7-r1 stabilized on amd64.
ppc64 stable
ppc stable
Stable for HPPA.
Stable on alpha.
GLSA 200705-10 with bug 174200 (tightvnc), thanks everybody.
1.3.0 is stable for mips.