Fwd: [ANNOUNCE] X.Org security advisory: multiple vulnerabilities in X font server

Rene Ladan r.c.ladan at gmail.com
Tue Oct 2 11:01:35 PDT 2007



---------- Forwarded message ----------
From: Matthieu Herrb <matthieu.herrb at laas.fr>
Date: 2 okt. 2007 19:12
Subject: [ANNOUNCE] X.Org security advisory: multiple vulnerabilities
in X font server
To: xorg-announce at lists.freedesktop.org, xorg <xorg at lists.freedesktop.org>

Hash: SHA1

X.Org security advisory, October 2nd, 2007
Multiple vulnerabilities in X font server
CVE ID: CVE-2007-4568


Several vulnerabilities have been identified in xfs, the X font
server.  The QueryXBitmaps and QueryXExtents protocol requests suffer
from lack of validation of their 'length' parameters. Maliciously
crafted requests can either cause two different problems with both

 * An integer overflow in the computation of the size of a dynamic
   buffer can lead to a heap overflow in the build_range() function.

 * An arbitrary number of bytes on the heap can be swapped by the
   swap_char2b() function.


These vulnerabilities can lead to code execution in the font
server. On most modern systems, the font server is accessible only for
local clients and runs with reduced privileges. But on some systems it
may still be accessible from remote clients and possibly running with
root privileges, creating an opportunity for remote privilege

Affected versions

All X.Org released versions of xfs are vulnerable to these
problems. Other implementations of the font server based on the X11R6
sample implementation are likely to be vulnerable too.


A fix for these vulnerabilities is included in xfs 1.0.5.

A patch for xfs 1.0.4 (included in X11R7.3) that should apply on
former versions with minor tweaks is also available:

MD5: e61a30a8cff105b86f8b924d84508e24   xorg-xfs-1.0.4-query.diff
SHA1: 093db0ce2c134ebc40e47a40db89503dad2b0f3e  xorg-xfs-1.0.4-query.diff


These vulnerabilities were discovered by Sean Larsson from iDefense
- --
Matthieu Herrb
xorg mailing list
xorg at lists.freedesktop.org

GPG fingerprint = E738 5471 D185 7013 0EE0  4FC8 3C1D 6F83 12E1 84F6

"It won't fit on the line."
		-- me, 2001

More information about the freebsd-x11 mailing list