Matthieu Herrb
2007-Apr-04 00:37 UTC
[ANNOUNCE] various integer overflow vulnerabilites in xserver, libX11 and libXfont
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 X.Org security advisory, April 3rd, 2007 Multiple vulnerability in X server, libXfont and libX11 CVE IDs: CVE-2007-1003 CVE-2007-1351 CVE-2007-1352 CVE-2007-1352 Overview Lack of validation of parameters passed to the X server and libX11 by client application can lead to various kinds of integer overflows or stack overflows that can be used to overwrite data in the X server memory. Vulnerabilities details * CVE-2007-1003 XC-MISC extension integer overflow iDefense Lab security researchers discovered that the parameter used for ALLOCATE_LOCAL in ProcXCMiscGetXIDList() is computed from an expression using a client-provided value that can be arbitrarily big. This can lead to an integer overflow in the evaluation of the expression or, when ALLOCATE_LOCAL() is using alloca(), to memory corruption if the parameter is big enough to fall out of the stack. The vulnerable request is only available to an already authenticated client of the X server . * CVE 2007-1351 bdf font parsing integer overflow iDefense Lab security researchers discovered that the BDF font parsing code in libXfont lack some input validation checks, permitting a specially crafted font in the BDF format to trigger an integer overflow in the parameter to a call to xalloc() in the bdfReadCharacters() function in bdfread.c, leading to memory corruption. An attacker needs to already have access to the system either as an authenticated client of the running X server, or with the ability to (re)start the X server. This vulnerability also affects the Freetype 2 library up to an including 2.3.2 . Refer to the Freetype web site to obtain a patch. * CVE 2007-1352 fonts.dir file parsing integer overflow iDefense Lab security researcher have identified that the code parsing the fonts.dir file in libXfont lacks validation of the initial number of fonts declared in this file. This can be used to trigger an integer overflow in the computation of the parameter to xalloc() in the FontFileInitTable() function, leading to memory corruption. An attacker needs to already have access to the system either as an authenticated client of the running X server, or with the ability to (re)start the X server. * CVE 2007-1667 libX11 XInitImage input validation Sami Leides has reported to the Debian BTS that some manually crafted images can lead to memory corruptions in libX11, due to incomplete input validation in XInitImage(), in ImUtils.c. It has be demonstrated that at least xwud and ImageMagick can be used to trigger calls to XInitImage() with incorrect parameters when viewing a malicious image. Other image viewing programs can probably be used too. This vulnerability can be exploited by having the user already connected to the X server to launch a viewer on the malicious image. Affected versions All released X.Org versions of xserver, libX11 and libXfont are vulnerable to the respective problems. Other X window system implementations based on the X11R6 sample implementation are probably vulnerable too. Fix Apply one of the following patches X.Org 7.2 http://xorg.freedesktop.org/archive/X11R7.2/patches/ MD5: d52da02163cd401b99b6e3a08d7ff068 xorg-libX11-1.1.1-xinitimage.diff SHA1: a0f904115ad9dc441bebcf2f8267f9751322b727 xorg-libX11-1.1.1-xinitimage.diff MD5: 76e3330c9bace76318e096b3c2182101 xorg-libXfont-1.2.7-bdf-fontdir.diff SHA1: 3e57aca6215e1212e53b1a3b1d243916ac7fa703 xorg-libXfont-1.2.7-bdf-fontdir.diff MD5: 0fa07a8fb2bc14fa01fc29e42b89c59e xorg-xserver-1.2.0-xcmisc.diff SHA1: 3557cbe23be6912106ed7220d95301311fb93a26 xorg-xserver-1.2.0-xcmisc.diff These patches can be applied to earlier versions of X.Org too with a few manual tweaks. Thanks Sean Larsson of iDefense Labs discovered the XC-MISC vulnerability and provided sample code and advices in fixing it. - -- Matthieu Herrb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBRhLOpnKGCS6JWssnAQKphwQAi+8ofGsHiPpYuI01iIxHuilvJobOi+UT yPShf25RJa4JImUOyZ2KMELU0cpoy1qYphStsLgnxXt5rf9UpG1HRoHaLTNRP6d4 iP7Val2uuf8K6aI2EibyohF87Fv9OcC5aMpHLoGBALrg530qA48cqdRIeYvDgP19 v4VuQmBsqIQ=WuJc -----END PGP SIGNATURE-----