Gentoo Archives: gentoo-announce

From: Tim Yamin <plasmaroo@g.o>
To: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com, gentoo-core@l.g.o, gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 200402-02 ] XFree86 Font Information File Buffer Overflow
Date: Wed, 11 Feb 2004 20:47:47
Message-Id: 402A9451.8020708@gentoo.org
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5 Gentoo Linux Security Advisory GLSA 200402-02
6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7 ~ http://security.gentoo.org
8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10 ~ Severity: High
11 ~ Title: XFree86 Font Information File Buffer Overflow
12 ~ Date: February 11, 2004
13 ~ ID: 200402-02
14
15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
16
17 Synopsis
18 ========
19
20 Exploitation of a buffer overflow in the XFree86 Project Inc.'s XFree86
21 X Window System allows local attackers to gain root privileges.
22
23 Background
24 ==========
25
26 XFree86 provides a client/server interface between display hardware
27 and the desktop environment while also providing both the windowing
28 infrastructure and a standardized API. XFree86 is platform
29 independent, network-transparent and extensible.
30
31 Description
32 ===========
33
34 Exploitation of a buffer overflow in the XFree86 Window System
35 discovered by iDefence [ 1 ] allows local attackers to gain root privileges.
36
37 The problem exists in the parsing of the 'font.alias' file. The X server
38 (running as root) fails to check the length of the user provided input,
39 so a malicious user may craft a malformed 'font.alias' file causing a
40 buffer overflow upon parsing, eventually leading to the execution of
41 arbitrary code.
42
43 To reproduce the overflow on the command line, you can run:
44
45 # cat > fonts.dir <<EOF
46 ~ 1
47 ~ word.bdf \
48 ~ -misc-fixed-medium-r-semicondensed--13-120-75-75-c-60-iso8859-1
49 ~ EOF
50 # perl -e 'print "0" x 1024 . "A" x 96 . "\n"' > fonts.alias
51 # X :0 -fp $PWD
52
53 {Some output removed}... Server aborting... Segmentation fault (core dumped)
54
55 Impact
56 ======
57
58 Successful exploitation can lead to a root compromise provided
59 that the attacker is able to execute commands in the X11
60 subsystem. This can be done either by having console access to the
61 target or through a remote exploit against any X client program
62 such as a web-browser, mail-reader or game.
63
64 Workaround
65 ==========
66
67 No immediate workaround is available; a software upgrade is required.
68
69 Gentoo has released XFree 4.2.1-r3, 4.3.0-r4 and 4.3.99.902-r1 and
70 encourages all users to upgrade their XFree86 installations. Vulnerable
71 versions are no longer available in Portage.
72
73 Resolution
74 ==========
75
76 All users are recommended to upgrade their XFree86 installation:
77
78 ~ # emerge sync
79 ~ # emerge -pv x11-base/xfree
80 ~ # emerge x11-base/xfree
81
82 References
83 ==========
84
85 [1] www.idefense.com/application/poi/display?id=72&type=vulnerabilities
86
87 Concerns?
88 =========
89
90 Security is a primary focus of Gentoo Linux and ensuring the
91 confidentiality and security of our users machines is of utmost
92 importance to us. Any security concerns should be addressed to
93 security@g.o or alternatively, you may file a bug at
94 http://bugs.gentoo.org.
95
96 -----BEGIN PGP SIGNATURE-----
97 Version: GnuPG v1.2.1 (GNU/Linux)
98 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
99
100 iD8DBQFAKpRPMMXbAy2b2EIRAhx7AKDJTGcpXUlZlLpZG/ulyxfoMQWLzQCgjYf0
101 3ee6Y8mBkBpcUhzJgMLY5PQ=
102 =nhw+
103 -----END PGP SIGNATURE-----