seeing is believing

libXfont Stack Buffer Overflow

libXfont Stack Buffer Overflow
Posted Jan 9, 2014
Site x.org

X.Org Security Advisory - libXfont suffers from a stack buffer overflow vulnerability. A BDF font file containing a longer than expected string could overflow the buffer on the stack. As libXfont is used to read user-specified font files in all X servers distributed by X.Org, including the Xorg server which is often run with root privileges or as setuid-root in order to access hardware, this bug may lead to an unprivileged user acquiring root privileges in some systems.

tags | advisory, overflow, root
advisories | CVE-2013-6462
MD5 | 17d6e5f83ac96f08c9245ddb124f8a36

libXfont Stack Buffer Overflow

Change Mirror Download
X.Org Security Advisory: January 7, 2014 - CVE-2013-6462
Stack buffer overflow in parsing of BDF font files in libXfont
==============================================================

Description:
============

Scanning of the libXfont sources with the cppcheck static analyzer
included a report of:

[lib/libXfont/src/bitmap/bdfread.c:341]: (warning)
scanf without field width limits can crash with huge input data.

Evaluation of this report by X.Org developers concluded that a BDF font
file containing a longer than expected string could overflow the buffer
on the stack. Testing in X servers built with Stack Protector resulted
in an immediate crash when reading a user-provided specially crafted font.

As libXfont is used to read user-specified font files in all X servers
distributed by X.Org, including the Xorg server which is often run with
root privileges or as setuid-root in order to access hardware, this bug
may lead to an unprivileged user acquiring root privileges in some systems.

Affected Versions
=================

This bug appears to have been introduced in the initial RCS version 1.1
checked in on 1991/05/10, and is thus believed to be present in every X11
release starting with X11R5 up to the current libXfont 1.4.6.
(Manual inspection shows it is present in the sources from the X11R5
tarballs, but not in those from the X11R4 tarballs.)

Fixes
=====

A fix is available via the attached patch, which is also included in
libXfont 1.4.7, released today, and available in the libXfont git repo:
http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=4d024ac10f964f6bd372ae0dd14f02772a6e5f63

Thanks
======

X.Org thanks the authors of the cppcheck tool for making their static
analyzer available as an open source project we can all benefit from.
http://cppcheck.sourceforge.net/

--
-Alan Coopersmith- alan.coopersmith at oracle.com
X.Org Security Response Team - xorg-security at lists.x.org
-------------- next part --------------
From 4d024ac10f964f6bd372ae0dd14f02772a6e5f63 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Mon, 23 Dec 2013 18:34:02 -0800
Subject: [PATCH:libXfont] CVE-2013-6462: unlimited sscanf overflows stack
buffer in bdfReadCharacters()

Fixes cppcheck warning:
[lib/libXfont/src/bitmap/bdfread.c:341]: (warning)
scanf without field width limits can crash with huge input data.

Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu at apple.com>
---
src/bitmap/bdfread.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
index e2770dc..e11c5d2 100644
--- a/src/bitmap/bdfread.c
+++ b/src/bitmap/bdfread.c
@@ -338,7 +338,7 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
char charName[100];
int ignore;

- if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) {
+ if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) {
bdfError("bad character name in BDF file\n");
goto BAILOUT; /* bottom of function, free and return error */
}
--
1.7.9.2


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close