XFree86 Font Library Integer Overflows May Allow Remote Access And Local Privilege Elevation
SecurityTracker Alert ID: 1007598|
SecurityTracker URL: http://securitytracker.com/id/1007598
(Links to External Site)
Updated: Sep 12 2003|
Original Entry Date: Aug 31 2003
Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, User access via local system, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Several vulnerabilities were reported in the XFree86 font libraries. A remote user can execute arbitrary code. A local user may be able to exploit Xserver to execute arbitrary code with root privileges.|
It is reported that a remote user may be able to exploit these flaws in the font libraries via an application that uses the libraries. The exact impact depends on how the application uses the libraries.
According to the report, the vulnerabilities are due to integer overflows that may occur in the transfer and enumeration of fonts from font servers to clients.
The report indicates that in certain configurations where xfs and Xserver act as clients, a remote user can execute arbitrary code on those systems.
In addition, a local user can modify the Xserver configuration to cause the Xserver to load a font from a malicious font server, resulting in the execution of arbitrary code. Because Xserver is reportedly configured with set user id (setuid) root privileges, a local user can thus obtain root privileges.
A remote user may be able to execute arbitrary code. The exact impact depends on the applications that use the affected font libraries.|
A local user may be able to cause Xserver to execute arbitrary code with root privileges.
A fix is available via CVS.|
As a workaround, the author of the reports that you can:
1) Remove the suid bit from the Xserver binary:
chmod u-s XFree86
2) Ensure that your xfs and Xserver do not include untrusted font servers in the font search paths.
Vendor URL: www.xfree.org/ (Links to External Site)
Linux (Any), UNIX (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Date: Sat, 30 Aug 2003 02:25:55 -0700|
Subject: Multiple integer overflows in XFree86 (local/remote)
-----BEGIN PGP SIGNED MESSAGE-----
Remote and local vulnerabilities in XFree86 font libraries
Product: XFree86 (4.3.0)
Impact: Potential privilege escalation / remote code execution
Bug class: Integer overflow
Vendor notified: Yes
Fix available: Yes (see end of advisory)
I have identified several bugs in the font libraries of the current version
(4.3.0) of the XFree86 font libraries. These bugs could potentially
lead to the execution of arbitrary code by a remote user in any process
which calls the functions in question. The functions are related to
the transfer and enumeration of fonts from font servers to clients, limiting
the range of the exposure caused by these bugs.
Specifically, several variables passed from a font server to a
client are not adequately checked, allowing integer overflows to cause
sizes of buffers to be calculated. These erroneous calculations can
buffers on the heap and stack overflowing, potentially leading to arbitrary
execution. As stated before, the risk is limited by the fact that only
clients can be affected remotely by these bugs, but in some (non default)
configurations, both xfs and XServer can act as clients to remote font
In these configurations, both xfs and XServer could be potentially compromised
remotely. Also, it is possible for a local unprivileged user to alter
the configuration of Xserver in such a manner as to force it to load
a font from an arbitrary font server. Since Xserver is setuid root by
default, a local user may potentially gain root privileges.
To prevent the local privilege escalation, remove the suid bit from the
chmod u-s XFree86
Ensure xfs and Xserver do not include untrusted font servers in their
The current CVS version of XFree86 has been updated to correct these
firstname.lastname@example.org of isen
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3
-----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
Promote security and make money with the Hushmail Affiliate Program: