X Buffer Overflow in Processing CID-encoded Type1 Fonts Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1016828 |
|
SecurityTracker URL: http://securitytracker.com/id/1016828
|
|
CVE Reference:
CVE-2006-3739, CVE-2006-3740
(Links to External Site)
|
Updated: Sep 13 2006
|
Original Entry Date: Sep 12 2006
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 7.1 and prior versions
|
Description:
A vulnerability was reported in X. A remote authenticated user can execute arbitrary code on the target system.
The software does not properly validate data when parsing CID-encoded Type1 fonts. A remote authenticated user with the ability to set the X server font path can set the path to point to a specially crafted font to trigger an integer overflow in the "type1" module and execute arbitrary code on the target system.
The scan_cidfont() function in 'Type1/scanfont.c' is affected [CVE-2006-3739]. The CIDADM() function in 'Type1/afm.c' is affected [CVE-2006-3740].
The vendor credits iDefense with reporting these vulnerabilities.
|
Impact:
A remote authenticated user can execute arbitrary code on the target system.
|
Solution:
The vendor has issued a fixed version (libXfont 1.2.1).
The following patches for earlier versions are available.
For earlier versions, apply one of the following patches:
X.Org 6.8.2
<http://xorg.freedesktop.org/releases/X11R6.8.2/patches/>
3943de39723099857403a50bea2b4408 xorg-68x-cidfonts.patch
1ff2c998453e233f9278be76ccb8a827cabbb067 xorg-68x-cidfonts.patch
X.Org 6.9.0
<http://xorg.freedesktop.org/releases/X11R6.9.0/patches/>
MD5: 7c0c53f1c7ffd97b429eda1eefdff9cb x11r6.9.0-cidfonts.diff
SHA1: bdb3b086e18fa1ee81020fa6a0657f097db7d037 x11r6.9.0-cidfonts.diff
X.Org 7.0 - libXfont 1.0.0
<http://xorg.freedesktop.org/releases/X11R7.0/patches/>
MD5: 8bcbe12444326fab69f8a899c78519ea libXfont-1.0.0-cidfonts.diff
SHA1: b0778179be6a52c5f10ddbb7cd349c06c3c8bd2d libXfont-1.0.0-cidfonts.diff
X.Org 7.1 - libXfont 1.1.0
<http://xorg.freedesktop.org/releases/X11R7.1/patches/>
MD5: 8bcbe12444326fab69f8a899c78519ea libXfont-1.1.0-cidfonts.diff
SHA1: b0778179be6a52c5f10ddbb7cd349c06c3c8bd2d libXfont-1.1.0-cidfonts.diff
|
Vendor URL: www.x.org/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue Sep 12 07:12:23 PDT 2006
Subject: X.Org Security Advisory: Type1 CID fonts
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
X.Org Security Advisory, September 12, 2006
Integer overflows in handling CID encoded Type1 fonts
CVE-ID: 2006-3739, 2006-3740
Overview
It may be possible for a user with the ability to set the X server
font path, by making it point to a malicious font, to cause
arbitrary code execution or denial of service on the X server.
Vulnerability details
The lack of validation of input data while parsing CID encoded Type1
fonts in the "type1" module may cause some integer overflows while
computing the size of allocated data buffers when parsing a
font. Arbitrary code embedded in the malicious font can then be
executed by the X server.
To exploit these vulnerabilities, the ability to connect to the X server
in order to execute 'xset fp+' or the equivalent is required.
CVE-ID 2006-3740 describes a vulnerability in the scan_cidfont()
function in Type1/scanfont.c, while CVE ID 2006-3739 describes similar
problems in the CIDADM() function in Type1/afm.c.
Affected versions
All X servers using the "type1" font module with CID font support are
vulnerable to this issue. This includes all X.Org versions from 6.7.0
to 7.1 inclusive. Older versions are not supported by X.Org.
Workaround
If no CID-encoded Type 1 fonts are used, the "type1" module can be
disabled and replaced by the "freetype" module in /etc/X11/xorg.conf.
The freetype module is able to use Type1 fonts with standard (non CID)
encoding as well as True Type fonts.
Also, systems with memory address space randomization are less likely
to be successfully compromised, as the most effective way to exploit
these vulnerabilities rely on fixed address space.
Fix
These issues have been fixed in libXfont 1.2.1
For earlier versions, apply one of the following patches:
X.Org 6.8.2
<http://xorg.freedesktop.org/releases/X11R6.8.2/patches/>
3943de39723099857403a50bea2b4408 xorg-68x-cidfonts.patch
1ff2c998453e233f9278be76ccb8a827cabbb067 xorg-68x-cidfonts.patch
X.Org 6.9.0
<http://xorg.freedesktop.org/releases/X11R6.9.0/patches/>
MD5: 7c0c53f1c7ffd97b429eda1eefdff9cb x11r6.9.0-cidfonts.diff
SHA1: bdb3b086e18fa1ee81020fa6a0657f097db7d037 x11r6.9.0-cidfonts.diff
X.Org 7.0 - libXfont 1.0.0
<http://xorg.freedesktop.org/releases/X11R7.0/patches/>
MD5: 8bcbe12444326fab69f8a899c78519ea libXfont-1.0.0-cidfonts.diff
SHA1: b0778179be6a52c5f10ddbb7cd349c06c3c8bd2d libXfont-1.0.0-cidfonts.diff
X.Org 7.1 - libXfont 1.1.0
<http://xorg.freedesktop.org/releases/X11R7.1/patches/>
MD5: 8bcbe12444326fab69f8a899c78519ea libXfont-1.1.0-cidfonts.diff
SHA1: b0778179be6a52c5f10ddbb7cd349c06c3c8bd2d libXfont-1.1.0-cidfonts.diff
Thanks
These vulnerabilities were reported to the X.Org Foundation by
iDefense (IDEF1691 and IDEF1751).
- --
Matthieu Herrb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iQCVAwUBRQbAR3KGCS6JWssnAQIQYwP/Vf21yp8bqTW03lwdaBqeNovDk/o9PJDZ
eEnfwwmjU1Y/hm478UCfarMLnLulxk3dOm5miDEawGtDp1uOC2oXdFKgAB+hyV0d
BQnDP5Ydy9GSOKg1Rttl3E9h5m3h0dKkRgR7TjLj95DZAy3Avbicqn622zL4OXFk
kfdC39Vmqlk=
=UOg5
-----END PGP SIGNATURE-----
|
|
