[ANNOUNCE] X.Org security advisory: multiple vulnerabilities in X font server

Matthieu Herrb matthieu.herrb at laas.fr
Tue Oct 2 10:12:38 PDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

X.Org security advisory, October 2nd, 2007
Multiple vulnerabilities in X font server
CVE ID: CVE-2007-4568


Overview

Several vulnerabilities have been identified in xfs, the X font
server.  The QueryXBitmaps and QueryXExtents protocol requests suffer
from lack of validation of their 'length' parameters. Maliciously
crafted requests can either cause two different problems with both
requests:

 * An integer overflow in the computation of the size of a dynamic
   buffer can lead to a heap overflow in the build_range() function.

 * An arbitrary number of bytes on the heap can be swapped by the
   swap_char2b() function.

Impact

These vulnerabilities can lead to code execution in the font
server. On most modern systems, the font server is accessible only for
local clients and runs with reduced privileges. But on some systems it
may still be accessible from remote clients and possibly running with
root privileges, creating an opportunity for remote privilege
escalation.

Affected versions

All X.Org released versions of xfs are vulnerable to these
problems. Other implementations of the font server based on the X11R6
sample implementation are likely to be vulnerable too.

Fix

A fix for these vulnerabilities is included in xfs 1.0.5.

A patch for xfs 1.0.4 (included in X11R7.3) that should apply on
former versions with minor tweaks is also available:

ftp://ftp.freedesktop.org/pub/X11R7.3/patches/xorg-xfs-1.0.4-query.diff
MD5: e61a30a8cff105b86f8b924d84508e24	xorg-xfs-1.0.4-query.diff
SHA1: 093db0ce2c134ebc40e47a40db89503dad2b0f3e	xorg-xfs-1.0.4-query.diff

Thanks

These vulnerabilities were discovered by Sean Larsson from iDefense
Labs.
- --
Matthieu Herrb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQCVAwUBRwJ8BnKGCS6JWssnAQL6DwQAtZZLOWZFm1wzc69crWtQkjJ0TRPG2/LR
0DAO4VkxBSylWaHYzqq+PsM1CYqcEjOxRtwy0JDX5yvx4Fj3hYiL0sFW04YxRPkV
hHTpSBLHr/Crvx5JLPvGOs0pHpupsnQ7t9hLY1c7Mrl1SSnKhot5paSeZFX7R3Cf
DXmNq7MD50k=
=O4aH
-----END PGP SIGNATURE-----

More information about the xorg mailing list