Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0840 libXfont multiple vulnerabilities 29 May 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libXfont Publisher: NetBSD Operating System: NetBSD Impact/Access: Root Compromise -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2014-0211 CVE-2014-0210 CVE-2014-0209 Reference: ESB-2014.0726 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2014-005 ================================= Topic: libXfont multiple vulnerabilities Version: NetBSD-current: source prior to May 13th, 2014 NetBSD 6.1 - 6.1.4: affected NetBSD 6.0 - 6.0.5: affected NetBSD 5.1 - 5.1.4: affected NetBSD 5.2 - 5.2.2: affected Severity: privilege escalation Fixed: NetBSD-current: May 13th, 2014 NetBSD-6-0 branch: May 14th, 2014 NetBSD-6-1 branch: May 14th, 2014 NetBSD-6 branch: May 14th, 2014 NetBSD-5-2 branch: May 14th, 2014 NetBSD-5-1 branch: May 14th, 2014 NetBSD-5 branch: May 14th, 2014 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== integer overflow of allocations in font metadata file parsing This vulnerability has been assigned CVE-2014-0209 unvalidated length fields when parsing xfs protocol replies This vulnerability has been assigned CVE-2014-0210 integer overflows calculating memory needs for xfs replies This vulnerability has been assigned CVE-2014-0211 The X server commonly runs as root; the user using the X server controls the fontpath. A malicious local user could thus utilize buffer overflows via setting the fontpath to a prepared font directory, or to a malicious xfs server to execute code as root. Technical Details ================= citing from the X.org advisory: integer overflow of allocations in font metadata file parsing When a local user who is already authenticated to the X server adds a new directory to the font path, the X server calls libXfont to open the fonts.dir and fonts.alias files in that directory and add entries to the font tables for every line in it. A large file (~2-4 gb) could cause the allocations to overflow, and allow the remaining data read from the file to overwrite other memory in the heap. unvalidated length fields when parsing xfs protocol replies When parsing replies received from the font server, these calls do not check that the lengths and/or indexes returned by the font server are within the size of the reply or the bounds of the memory allocated to store the data, so could write past the bounds of allocated memory when storing the returned data. integer overflows calculating memory needs for xfs replies These calls do not check that their calculations for how much memory is needed to handle the returned data have not overflowed, so can result in allocating too little memory and then writing the returned data past the end of the allocated buffer. Solutions and Workarounds ========================= Update libXfont to a non-vulnerable version. libXfont is contained in xbase.tgz, so get http://nyftp.netbsd.org/pub/NetBSD-daily/<r>/<d>/<a>/binary/sets/xbase.tgz with <r>=release, <d>=date > 20140514, <a>=arch (for example: http://nyftp.netbsd.org/pub/NetBSD-daily/netbsd-6/201405220640Z/amd64/binary/sets/xbase.tgz) and then: for X.org cd / ; tar xzpf xbase.tgz ./usr/X11R7/lib/libXfont.so.3.0 for xfree cd / ; tar xzpf xbase.tgz ./usr/X11R6/lib/libXfont.so.1.5 or rebuild the system from fixed source with build.sh -x Fixed versions: X.org: xsrc/external/mit/libXfont/dist/src/ HEAD 6 6-1 6-0 fc/fsconvert.c 1.2 1.1.1.2.2.1 1.1.1.2.6.1 1.1.1.2.4.1 fc/fserve.c 1.2 1.1.1.2.2.1 1.1.1.2.6.1 1.1.1.2.4.1 fontfile/dirfile.c 1.2 1.1.1.2.2.1 1.1.1.2.6.1 1.1.1.2.4.1 5 5-2 5-1 fc/fsconvert.c 1.1.1.1.2.2 1.1.1.1.2.1.4.1 1.1.1.1.2.1.2.1 fc/fserve.c 1.1.1.1.2.2 1.1.1.1.2.1.4.1 1.1.1.1.2.1.2.1 fontfile/dirfile.c 1.1.1.1.2.2 1.1.1.1.2.1.4.1 1.1.1.1.2.1.2.1 xfree: xsrc/xfree/xc/lib/font/ HEAD 6 6-1 6-0 fc/fsconvert.c 1.5 1.4.26.1 1.4.32.1 1.4.28.1 fc/fserve.c 1.5 1.4.26.1 1.4.32.1 1.4.28.1 fontfile/dirfile.c 1.5 1.4.14.1 1.4.20.1 1.4.16.1 5 5-2 5-1 fc/fsconvert.c 1.4.20.1 1.4.30.1 1.4.24.1 fc/fserve.c 1.4.20.1 1.4.30.1 1.4.24.1 fontfile/dirfile.c 1.4.8.1 1.4.18.1 1.4.12.1 Thanks To ========= Thanks to Ilja van Sprundel, a security researcher with IOActive, who discovered the issues and the X.org security team for developing fixes and coordinating the vulnerability release. Revision History ================ 2014-05-28 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-005.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2014, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2014-005.txt,v 1.1 2014/05/27 23:53:20 tonnerre Exp $ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJThSWUAAoJEAZJc6xMSnBu4Y4P/jdaNc5mGuFIWhReYrraP2Dd Mo3ppm1BsMBHjaDKe8ldM7ggIwO8kswi8HWtpR4z2tPwuoYPFi9nDKpOJLNscsbR PwOSmnd7DRxOWYL4t6IiS4S8N0tsuN6gaOduWB/3KMASuvEGi7MOAe+k+24JT8oa jj9/IDNv/6XfoWHPTxN2uUAYAV278WmQpMIVt40mISrGXighTQ7wUDz90GnBT7Vq jt6ZdtjdB8k95/0OoFruRZkLmXOVjNmdsjcPw1dbxiM2J5otB2G1chxXCdEF+I2a NB4L1eqUG4+xDd3oemlDpqmfkxMwdOfjDTuiPD2LqHjlokt+EK15T7tWtfD5IZCx 8jNjHbjrK8L7Zp6Wa9VdcLmFJVc3cNLlUxJZATVA7kK9du25GDXBiBKd7P57NJOw eBZo8Ku+fMph7B409Ii2+tTubmTUWAX4raoIXhcrLGz+NtEFPB072gnpCkhVw6bR hZ2ZR9o2Xb3+bdLjGqTEjJCJLRFfYn4r3fVA/cdLPlSC6mtZ9fbKScsIOmZooo1Z L+Z36Cv3j6CrDSgDqmmabrC/atXQ9cK7Wzntu/DRKfq8vkPuSMlpuQRlfzjcgSsH /nGY+0AG10/QVOncgK+zS/a536zrPfQynTGgx+rluClxIzWUYzDRZt00C8/I41wJ eP+z29hbJ2KmuDl8QIvK =VDy0 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU4azXRLndAQH1ShLAQJ49w//YcvFu6hbFOIIZtBvzCeTLzWUeD1GZKpZ z1JBm8ruoV0RF7DFCw/mkn+glx4fT/lVY8p5/9osvY9PrqfCc7ATa0MAowmkYFdF MApsVt9S/qfe/uXbNcGm2w22pHI+RitfP+XX2p1BoB5dxTQ3KEfU1QMQwNhpP78b JsicCGOslZfltkQ01eGX5/Ag555jPoTm9zfPe6oLjCd7700Thz/s2URXn+lpQ0NO P5Q/gD1O8qbuMAPRn018TM+I/8JrZpGOgog5RrdLcHZNM/1vlAftGzycB9XgQ0wz sld8/BDC1fx3K3z0xcoSX9iiLIpnLHPb6OkrII8y0t3rTkjDctEBtXa6qvMVG22h 4UvzMrMDaobz2GOZwneoc/7NzA2IwzjHzhjcDBseWZqJT96LGXsoExPGlaz3Enth GiO9RQEjypo9j4BTSj5GvAWFOmv+14kTg4Sdg4OmKBvUWLypzesgPnrxgd365dFs 7XlX2/hAPVHqYe/QlC1hgWWXpWluO8yFkH2dtMcWZYvT2GhZr/n7aRdhdZiglsAZ LAvbrPv/vsErVRZt30Ku8Wd3ZUpmNYW05wwt752uBLyFuDIh8YzSn595YNaSRSkL YuFqheTizwxPaihZItFTuU4cjhS9Kjxvf+wWIfF4duyy1tU1uSjVCoBYK729s0YD DoVpw9ngZVI= =yIFW -----END PGP SIGNATURE-----