v902
August 31st, 2003, 00:21
This forum has 45 posts and FBSD has 8 so it's being posted here :)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Remote and local vulnerabilities in XFree86 font libraries

Product: XFree86 (4.3.0)
Impact: Potential privilege escalation / remote code execution
Bug class: Integer overflow
Vendor notified: Yes
Fix available: Yes (see end of advisory)

Details:
I have identified several bugs in the font libraries of the current version
(4.3.0) of the XFree86 font libraries. These bugs could potentially
lead to the execution of arbitrary code by a remote user in any process
which calls the functions in question. The functions are related to
the transfer and enumeration of fonts from font servers to clients, limiting
the range of the exposure caused by these bugs.

Specifically, several variables passed from a font server to a
client are not adequately checked, allowing integer overflows to cause
erroneous
sizes of buffers to be calculated. These erroneous calculations can
lead to
buffers on the heap and stack overflowing, potentially leading to arbitrary
code
execution. As stated before, the risk is limited by the fact that only
clients can be affected remotely by these bugs, but in some (non default)
configurations, both xfs and XServer can act as clients to remote font
servers.
In these configurations, both xfs and XServer could be potentially compromised
remotely. Also, it is possible for a local unprivileged user to alter

the configuration of Xserver in such a manner as to force it to load
a font from an arbitrary font server. Since Xserver is setuid root by
default, a local user may potentially gain root privileges.


Workaround:
To prevent the local privilege escalation, remove the suid bit from the
Xserver binary:
chmod u-s XFree86

Ensure xfs and Xserver do not include untrusted font servers in their
font
search paths.

Fix:
The current CVS version of XFree86 has been updated to correct these
issues.

Discovered by:
blexim@hush.com of isen
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAj9IinUACgkQsE7ilXLZoGZziQCgv3YM2FxUt9 zVUFPKqpvdoPWON2kA
oLC5uhB0+QXxnjikMqt/3P0S462G
=MlA3
-----END PGP SIGNATURE-----

elmore
August 31st, 2003, 01:42
well it has 46 topics and now.... 256 posts.