1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
5 |
Gentoo Linux Security Advisory GLSA 200402-02 |
6 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
7 |
~ http://security.gentoo.org |
8 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
9 |
|
10 |
~ Severity: High |
11 |
~ Title: XFree86 Font Information File Buffer Overflow |
12 |
~ Date: February 11, 2004 |
13 |
~ ID: 200402-02 |
14 |
|
15 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
16 |
|
17 |
Synopsis |
18 |
======== |
19 |
|
20 |
Exploitation of a buffer overflow in the XFree86 Project Inc.'s XFree86 |
21 |
X Window System allows local attackers to gain root privileges. |
22 |
|
23 |
Background |
24 |
========== |
25 |
|
26 |
XFree86 provides a client/server interface between display hardware |
27 |
and the desktop environment while also providing both the windowing |
28 |
infrastructure and a standardized API. XFree86 is platform |
29 |
independent, network-transparent and extensible. |
30 |
|
31 |
Description |
32 |
=========== |
33 |
|
34 |
Exploitation of a buffer overflow in the XFree86 Window System |
35 |
discovered by iDefence [ 1 ] allows local attackers to gain root privileges. |
36 |
|
37 |
The problem exists in the parsing of the 'font.alias' file. The X server |
38 |
(running as root) fails to check the length of the user provided input, |
39 |
so a malicious user may craft a malformed 'font.alias' file causing a |
40 |
buffer overflow upon parsing, eventually leading to the execution of |
41 |
arbitrary code. |
42 |
|
43 |
To reproduce the overflow on the command line, you can run: |
44 |
|
45 |
# cat > fonts.dir <<EOF |
46 |
~ 1 |
47 |
~ word.bdf \ |
48 |
~ -misc-fixed-medium-r-semicondensed--13-120-75-75-c-60-iso8859-1 |
49 |
~ EOF |
50 |
# perl -e 'print "0" x 1024 . "A" x 96 . "\n"' > fonts.alias |
51 |
# X :0 -fp $PWD |
52 |
|
53 |
{Some output removed}... Server aborting... Segmentation fault (core dumped) |
54 |
|
55 |
Impact |
56 |
====== |
57 |
|
58 |
Successful exploitation can lead to a root compromise provided |
59 |
that the attacker is able to execute commands in the X11 |
60 |
subsystem. This can be done either by having console access to the |
61 |
target or through a remote exploit against any X client program |
62 |
such as a web-browser, mail-reader or game. |
63 |
|
64 |
Workaround |
65 |
========== |
66 |
|
67 |
No immediate workaround is available; a software upgrade is required. |
68 |
|
69 |
Gentoo has released XFree 4.2.1-r3, 4.3.0-r4 and 4.3.99.902-r1 and |
70 |
encourages all users to upgrade their XFree86 installations. Vulnerable |
71 |
versions are no longer available in Portage. |
72 |
|
73 |
Resolution |
74 |
========== |
75 |
|
76 |
All users are recommended to upgrade their XFree86 installation: |
77 |
|
78 |
~ # emerge sync |
79 |
~ # emerge -pv x11-base/xfree |
80 |
~ # emerge x11-base/xfree |
81 |
|
82 |
References |
83 |
========== |
84 |
|
85 |
[1] www.idefense.com/application/poi/display?id=72&type=vulnerabilities |
86 |
|
87 |
Concerns? |
88 |
========= |
89 |
|
90 |
Security is a primary focus of Gentoo Linux and ensuring the |
91 |
confidentiality and security of our users machines is of utmost |
92 |
importance to us. Any security concerns should be addressed to |
93 |
security@g.o or alternatively, you may file a bug at |
94 |
http://bugs.gentoo.org. |
95 |
|
96 |
-----BEGIN PGP SIGNATURE----- |
97 |
Version: GnuPG v1.2.1 (GNU/Linux) |
98 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
99 |
|
100 |
iD8DBQFAKpRPMMXbAy2b2EIRAhx7AKDJTGcpXUlZlLpZG/ulyxfoMQWLzQCgjYf0 |
101 |
3ee6Y8mBkBpcUhzJgMLY5PQ= |
102 |
=nhw+ |
103 |
-----END PGP SIGNATURE----- |