FreshPorts - VuXML

the freedesktop.org project reports:

A non-privileged X client can instruct X server running under root to open any file by creating own directory with "fonts.dir", "fonts.alias" or any font file being a symbolic link to any other file in the system. X server will then open it. This can be issue with special files such as /dev/watchdog.

< 1.5.4

< 2.0.3

freedesktop.org reports:

A BDF font file containing a longer than expected string can cause a buffer overflow on the stack. Testing in X servers built with Stack Protector restulted in an immediate crash when reading a user-proveded specially crafted font.

As libXfont is used to read user-specified font files in all X servers distributed by X.Org, including the Xorg server which is often run with root privileges or as setuid-root in order to access hardware, this bug may lead to an unprivileged user acquiring root privileges in some systems.

< 1.4.7,1

Tomas Hoger reports:

The compress/ LZW decompress implentation does not correctly handle compressed streams that contain code words that were not yet added to the decompression table. This may lead to arbitrary memory corruption. Successfull exploitation may possible lead to a local privilege escalation.

< 1.4.4_1,1

The freedesktop.org project reports:

If a pattern contains '?' character, any character in the string is skipped, even if it is '\0'. The rest of the matching then reads invalid memory.

Without the checks a malformed PCF file can cause the library to make atom from random heap memory that was behind the `strings` buffer. This may crash the process or leak information.

< 1.5.3

< 2.0.2

Alan Coopersmith reports:

Ilja van Sprundel, a security researcher with IOActive, has discovered several issues in the way the libXfont library handles the responses it receives from xfs servers, and has worked with X.Org's security team to analyze, confirm, and fix these issues.

Most of these issues stem from libXfont trusting the font server to send valid protocol data, and not verifying that the values will not overflow or cause other damage. This code is commonly called from the X server when an X Font Server is active in the font path, so may be running in a setuid-root process depending on the X server in use. Exploits of this path could be used by a local, authenticated user to attempt to raise privileges; or by a remote attacker who can control the font server to attempt to execute code with the privileges of the X server.

< 1.4.7_3

< 7.4_2

ge *

Alan Coopersmith reports:

Ilja van Sprundel, a security researcher with IOActive, has discovered an issue in the parsing of BDF font files by libXfont. Additional testing by Alan Coopersmith and William Robinet with the American Fuzzy Lop (afl) tool uncovered two more issues in the parsing of BDF font files.

As libXfont is used by the X server to read font files, and an unprivileged user with access to the X server can tell the X server to read a given font file from a path of their choosing, these vulnerabilities have the potential to allow unprivileged users to run code with the privileges of the X server (often root access).

< 1.5.1

< 7.4_4

< 7.4_4

Matthieu Herrb of X.Org reports:

Several vulnerabilities have been identified in server code of the X window system caused by lack of proper input validation on user controlled data in various parts of the software, causing various kinds of overflows.

Exploiting these overflows will crash the X server or, under certain circumstances allow the execution of arbitray machine code.

When the X server is running with root privileges (which is the case for the Xorg server and for most kdrive based servers), these vulnerabilities can thus also be used to raise privileges.

All these vulnerabilities, to be exploited succesfully, require either an already established connection to a running X server (and normally running X servers are only accepting authenticated connections), or a shell access with a valid user on the machine where the vulnerable server is installed.

< 1.4_4,1

< 1.3.1_2,1