SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   XFree Vendors:   XFree86 Project
XFree86 Font Library Integer Overflows May Allow Remote Access And Local Privilege Elevation
SecurityTracker Alert ID:  1007598
SecurityTracker URL:  http://securitytracker.com/id/1007598
CVE Reference:   CAN-2003-0730   (Links to External Site)
Updated:  Sep 12 2003
Original Entry Date:  Aug 31 2003
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.3.0
Description:   Several vulnerabilities were reported in the XFree86 font libraries. A remote user can execute arbitrary code. A local user may be able to exploit Xserver to execute arbitrary code with root privileges.

It is reported that a remote user may be able to exploit these flaws in the font libraries via an application that uses the libraries. The exact impact depends on how the application uses the libraries.

According to the report, the vulnerabilities are due to integer overflows that may occur in the transfer and enumeration of fonts from font servers to clients.

The report indicates that in certain configurations where xfs and Xserver act as clients, a remote user can execute arbitrary code on those systems.

In addition, a local user can modify the Xserver configuration to cause the Xserver to load a font from a malicious font server, resulting in the execution of arbitrary code. Because Xserver is reportedly configured with set user id (setuid) root privileges, a local user can thus obtain root privileges.
Impact:   A remote user may be able to execute arbitrary code. The exact impact depends on the applications that use the affected font libraries.

A local user may be able to cause Xserver to execute arbitrary code with root privileges.
Solution:   A fix is available via CVS.

As a workaround, the author of the reports that you can:

1) Remove the suid bit from the Xserver binary:

chmod u-s XFree86

2) Ensure that your xfs and Xserver do not include untrusted font servers in the font search paths.
Vendor URL:  www.xfree.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 12 2003 (Mandrake Issues Fix) XFree86 Font Library Integer Overflows May Allow Remote Access And Local Privilege Elevation   (Mandrake Linux Security Team <security@linux-mandrake.com>)
Mandrake has released a fix.
Oct 9 2003 (NetBSD Issues Fix) Re: XFree86 Font Library Integer Overflows May Allow Remote Access And Local Privilege Elevation   (NetBSD Security Officer <security-officer@NetBSD.org>)
NetBSD has issued a fix.
Nov 18 2003 (Red Hat Issues Fix for RH Linux) Re: XFree86 Font Library Integer Overflows May Allow Remote Access And Local Privilege Elevation   (bugzilla@redhat.com)
Red Hat has issued a fix for Red Hat Linux 9.
Nov 26 2003 (Red Hat Issues Fix for RH 7.1/7.2) Re: XFree86 Font Library Integer Overflows May Allow Remote Access And Local Privilege Elevation   (bugzilla@redhat.com)
Red Hat has issued a fix for Red Hat Linux 7.1 and 7.2.
Nov 26 2003 (Red Hat Issues Fix) XFree86 Font Library Integer Overflows May Allow Remote Access And Local Privilege Elevation   (bugzilla@redhat.com)
Red Hat has issued a fix for Red Hat Linux 7.3 and 8.0.


 Source Message Contents
Date:  Sat, 30 Aug 2003 02:25:55 -0700
Subject:  Multiple integer overflows in XFree86 (local/remote)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Remote and local vulnerabilities in XFree86 font libraries

Product:         XFree86 (4.3.0)
Impact:          Potential privilege escalation / remote code execution
Bug class:       Integer overflow
Vendor notified: Yes
Fix available:   Yes (see end of advisory)

Details:
I have identified several bugs in the font libraries of the current version
(4.3.0) of the XFree86 font libraries. These bugs could potentially
lead to the execution of arbitrary code by a remote user in any process
which calls the functions in question. The functions are related to
the transfer and enumeration of fonts from font servers to clients, limiting
the range of the exposure caused by these bugs.

Specifically, several variables passed from a font server to a
client are not adequately checked, allowing integer overflows to cause
erroneous
sizes of buffers to be calculated.  These erroneous calculations can
lead to
buffers on the heap and stack overflowing, potentially leading to arbitrary
code
execution. As stated before, the risk is limited by the fact that only
clients can be affected remotely by these bugs, but in some (non default)
configurations, both xfs and XServer can act as clients to remote font
servers.
In these configurations, both xfs and XServer could be potentially compromised
remotely.  Also, it is possible for a local unprivileged user to alter

the configuration of Xserver in such a manner as to force it to load
a font from an arbitrary font server.  Since Xserver is setuid root by
default, a local user may potentially gain root privileges.


Workaround:
To prevent the local privilege escalation, remove the suid bit from the
Xserver binary:
        chmod u-s XFree86

Ensure xfs and Xserver do not include untrusted font servers in their
font
search paths.

Fix:
The current CVS version of XFree86 has been updated to correct these
issues.

Discovered by:
blexim@hush.com of isen
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAj9IinUACgkQsE7ilXLZoGZziQCgv3YM2FxUt9zVUFPKqpvdoPWON2kA
oLC5uhB0+QXxnjikMqt/3P0S462G
=MlA3
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC