From ${URL} : Description: ============ Ilja van Sprundel, a security researcher with IOActive, has discovered an issue in the parsing of BDF font files by libXfont. Additional testing by Alan Coopersmith and William Robinet with the American Fuzzy Lop (afl) tool uncovered two more issues in the parsing of BDF font files. As libXfont is used by the X server to read font files, and an unprivileged user with access to the X server can tell the X server to read a given font file from a path of their choosing, these vulnerabilities have the potential to allow unprivileged users to run code with the privileges of the X server (often root access). The vulnerabilities are: - CVE-2015-1802: bdfReadProperties: property count needs range check The bdf parser reads a count for the number of properties defined in a font from the font file, and allocates arrays with entries for each property based on that count. It never checked to see if that count was negative, or large enough to overflow when multiplied by the size of the structures being allocated, and could thus allocate the wrong buffer size, leading to out of bounds writes. - CVE-2015-1803: bdfReadCharacters: bailout if a char's bitmap cannot be read If the bdf parser failed to parse the data for the bitmap for any character, it would proceed with an invalid pointer to the bitmap data and later crash when trying to read the bitmap from that pointer. - CVE-2015-1804: bdfReadCharacters: ensure metrics fit into xCharInfo struct The bdf parser read metrics values as 32-bit integers, but stored them into 16-bit integers. Overflows could occur in various operations leading to out-of-bounds memory access. Affected Versions ================= X.Org believes all prior versions of this library contain these flaws, dating back to its introduction in X11R5. Fixes ===== Fixes are available in the patches for these libXfont git commits: 2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e 78c2e3d70d29698244f70164428bd2868c0ab34c 2351c83a77a478b49cba6beb2ad386835e264744 Which are now available from: git://anongit.freedesktop.org/git/xorg/lib/libXfont http://cgit.freedesktop.org/xorg/lib/libXfont/ Fixes will also be included in the libXfont 1.5.1 & 1.4.9 module releases from X.Org. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
I've added 1.5.1 to the tree. I have not added 1.4.9 since it requires an old fontsproto. I'm not sure whether we should add it, or just drop old fontsproto and libXfont-1.4.8*. The changes between 1.5.0 and 1.5.1 are really trivial. Copying the keywords directly from 1.5.0 without bothering arch teams seems compelling.
I added libXfont-1.4.9 too as it is required for xorg-server-1.15 and older.
Arches, please test and mark stable: =x11-libs/libXfont-1.4.9 =x11-libs/libXfont-1.5.1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
x86 done
amd64 stable
Stable for HPPA.
CVE-2015-1802 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1802): The bdfReadProperties function in bitmap/bdfread.c in X.Org libXfont before 1.4.9 and 1.5.x before 1.5.1 allows remote authenticated users to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a (1) negative or (2) large property count in a BDF font file.
ia64 stable
ppc stable
ppc64 stable
arm stable
sparc stable
alpha stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Vulnerable versions have been removed from the tree.
CVE-2015-1804 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1804): The bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont before 1.4.9 and 1.5.x before 1.5.1 does not properly perform type conversion for metrics values, which allows remote authenticated users to cause a denial of service (out-of-bounds memory access) and possibly execute arbitrary code via a crafted BDF font file. CVE-2015-1803 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1803): The bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont before 1.4.9 and 1.5.x before 1.5.1 does not properly handle character bitmaps it cannot read, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) and possibly execute arbitrary code via a crafted BDF font file.
Arches and Maintainer(s), Thank you for your work. GLSA Vote: Yes
New GLSA Request filed.
This issue was resolved and addressed in GLSA 201507-21 at https://security.gentoo.org/glsa/201507-21 by GLSA coordinator Mikle Kolyada (Zlogene).
