-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 X.Org Security Advisory, September 12, 2006 Integer overflows in handling CID encoded Type1 fonts CVE-ID: 2006-3739, 2006-3740 Overview It may be possible for a user with the ability to set the X server font path, by making it point to a malicious font, to cause arbitrary code execution or denial of service on the X server. Vulnerability details The lack of validation of input data while parsing CID encoded Type1 fonts in the "type1" module may cause some integer overflows while computing the size of allocated data buffers when parsing a font. Arbitrary code embedded in the malicious font can then be executed by the X server. To exploit these vulnerabilities, the ability to connect to the X server in order to execute 'xset fp+' or the equivalent is required. CVE-ID 2006-3740 describes a vulnerability in the scan_cidfont() function in Type1/scanfont.c, while CVE ID 2006-3739 describes similar problems in the CIDADM() function in Type1/afm.c. Affected versions All X servers using the "type1" font module with CID font support are vulnerable to this issue. This includes all X.Org versions from 6.7.0 to 7.1 inclusive. Older versions are not supported by X.Org. Workaround If no CID-encoded Type 1 fonts are used, the "type1" module can be disabled and replaced by the "freetype" module in /etc/X11/xorg.conf. The freetype module is able to use Type1 fonts with standard (non CID) encoding as well as True Type fonts. Also, systems with memory address space randomization are less likely to be successfully compromised, as the most effective way to exploit these vulnerabilities rely on fixed address space. Fix These issues have been fixed in libXfont 1.2.1 For earlier versions, apply one of the following patches: X.Org 6.8.2 <http://xorg.freedesktop.org/releases/X11R6.8.2/patches/> 3943de39723099857403a50bea2b4408 xorg-68x-cidfonts.patch 1ff2c998453e233f9278be76ccb8a827cabbb067 xorg-68x-cidfonts.patch X.Org 6.9.0 <http://xorg.freedesktop.org/releases/X11R6.9.0/patches/> MD5: 7c0c53f1c7ffd97b429eda1eefdff9cb x11r6.9.0-cidfonts.diff SHA1: bdb3b086e18fa1ee81020fa6a0657f097db7d037 x11r6.9.0-cidfonts.diff X.Org 7.0 - libXfont 1.0.0 <http://xorg.freedesktop.org/releases/X11R7.0/patches/> MD5: 8bcbe12444326fab69f8a899c78519ea libXfont-1.0.0-cidfonts.diff SHA1: b0778179be6a52c5f10ddbb7cd349c06c3c8bd2d libXfont-1.0.0-cidfonts.diff X.Org 7.1 - libXfont 1.1.0 <http://xorg.freedesktop.org/releases/X11R7.1/patches/> MD5: 8bcbe12444326fab69f8a899c78519ea libXfont-1.1.0-cidfonts.diff SHA1: b0778179be6a52c5f10ddbb7cd349c06c3c8bd2d libXfont-1.1.0-cidfonts.diff Thanks These vulnerabilities were reported to the X.Org Foundation by iDefense (IDEF1691 and IDEF1751). - -- Matthieu Herrb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iQCVAwUBRQa/+3KGCS6JWssnAQJrswQAlbIxfYB9Z8UTdOH7Dq3VFOFSXRlAIXdQ JAUf0XS36n9pJn+h/KrFYffnD+CJbbOKO6g46T4wZnSfiLb6BrkLEpd2lXVdPQTl V2bwOQSoZTW7FhvTe4KclrymOXVXgqvGX62NkQlxMP7AN1ghhvWImMkQ9rD/t7Aq RcTbgxgvLTE=pWCf -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4033 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.freedesktop.org/archives/xorg-announce/attachments/20060912/d90afa6f/smime.bin