[ANNOUNCE] X.Org Security Advisory: More BDF file parsing issues in libXfont

Alan Coopersmith alan.coopersmith at oracle.com
Tue Mar 17 08:08:33 PDT 2015

X.Org Security Advisory:  March 17, 2015
More BDF file parsing issues in libXfont


Ilja van Sprundel, a security researcher with IOActive, has discovered an 
issue in the parsing of BDF font files by libXfont.  Additional testing by
Alan Coopersmith and William Robinet with the American Fuzzy Lop (afl) tool 
uncovered two more issues in the parsing of BDF font files.

As libXfont is used by the X server to read font files, and an unprivileged
user with access to the X server can tell the X server to read a given font
file from a path of their choosing, these vulnerabilities have the potential
to allow unprivileged users to run code with the privileges of the X server
(often root access).

The vulnerabilities are:

- CVE-2015-1802: bdfReadProperties: property count needs range check

    The bdf parser reads a count for the number of properties defined in
    a font from the font file, and allocates arrays with entries for each
    property based on that count.  It never checked to see if that count
    was negative, or large enough to overflow when multiplied by the size
    of the structures being allocated, and could thus allocate the wrong
    buffer size, leading to out of bounds writes.

- CVE-2015-1803: bdfReadCharacters: bailout if a char's bitmap cannot be read

    If the bdf parser failed to parse the data for the bitmap for any
    character, it would proceed with an invalid pointer to the bitmap
    data and later crash when trying to read the bitmap from that pointer.

- CVE-2015-1804: bdfReadCharacters: ensure metrics fit into xCharInfo struct

    The bdf parser read metrics values as 32-bit integers, but stored
    them into 16-bit integers.  Overflows could occur in various operations
    leading to out-of-bounds memory access.

Affected Versions

X.Org believes all prior versions of this library contain these flaws,
dating back to its introduction in X11R5.


Fixes are available in the patches for these libXfont git commits:

Which are now available from:

Fixes will also be included in the libXfont 1.5.1 & 1.4.9 module releases
from X.Org.


X.Org thanks Ilja van Sprundel of IOActive, Alan Coopersmith of Oracle, and
William Robinet of Conostix for reporting these issues to our security team
and helping evaluate and test the fixes; and thanks Michal Zalewski and the
American Fuzzy Lop community for providing their fuzz testing tool as an open
source project we can all benefit from at http://lcamtuf.coredump.cx/afl/ .

	-Alan Coopersmith-              alan.coopersmith at oracle.com
	  X.Org Security Response Team - xorg-security at lists.x.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.x.org/archives/xorg-announce/attachments/20150317/70a083cb/attachment.sig>

More information about the xorg-announce mailing list