Matthieu Herrb
2007-Oct-02 17:12 UTC
[ANNOUNCE] X.Org security advisory: multiple vulnerabilities in X font server
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 X.Org security advisory, October 2nd, 2007 Multiple vulnerabilities in X font server CVE ID: CVE-2007-4568 Overview Several vulnerabilities have been identified in xfs, the X font server. The QueryXBitmaps and QueryXExtents protocol requests suffer from lack of validation of their 'length' parameters. Maliciously crafted requests can either cause two different problems with both requests: * An integer overflow in the computation of the size of a dynamic buffer can lead to a heap overflow in the build_range() function. * An arbitrary number of bytes on the heap can be swapped by the swap_char2b() function. Impact These vulnerabilities can lead to code execution in the font server. On most modern systems, the font server is accessible only for local clients and runs with reduced privileges. But on some systems it may still be accessible from remote clients and possibly running with root privileges, creating an opportunity for remote privilege escalation. Affected versions All X.Org released versions of xfs are vulnerable to these problems. Other implementations of the font server based on the X11R6 sample implementation are likely to be vulnerable too. Fix A fix for these vulnerabilities is included in xfs 1.0.5. A patch for xfs 1.0.4 (included in X11R7.3) that should apply on former versions with minor tweaks is also available: ftp://ftp.freedesktop.org/pub/X11R7.3/patches/xorg-xfs-1.0.4-query.diff MD5: e61a30a8cff105b86f8b924d84508e24 xorg-xfs-1.0.4-query.diff SHA1: 093db0ce2c134ebc40e47a40db89503dad2b0f3e xorg-xfs-1.0.4-query.diff Thanks These vulnerabilities were discovered by Sean Larsson from iDefense Labs. - -- Matthieu Herrb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBRwJ8BnKGCS6JWssnAQL6DwQAtZZLOWZFm1wzc69crWtQkjJ0TRPG2/LR 0DAO4VkxBSylWaHYzqq+PsM1CYqcEjOxRtwy0JDX5yvx4Fj3hYiL0sFW04YxRPkV hHTpSBLHr/Crvx5JLPvGOs0pHpupsnQ7t9hLY1c7Mrl1SSnKhot5paSeZFX7R3Cf DXmNq7MD50k=O4aH -----END PGP SIGNATURE-----