Home page logo

bugtraq logo Bugtraq mailing list archives

Multiple integer overflows in XFree86 (local/remote)
From: <blexim () hush com>
Date: Sat, 30 Aug 2003 02:25:55 -0700

Hash: SHA1

Remote and local vulnerabilities in XFree86 font libraries

Product:         XFree86 (4.3.0)
Impact:          Potential privilege escalation / remote code execution
Bug class:       Integer overflow
Vendor notified: Yes
Fix available:   Yes (see end of advisory)

I have identified several bugs in the font libraries of the current version
(4.3.0) of the XFree86 font libraries. These bugs could potentially
lead to the execution of arbitrary code by a remote user in any process
which calls the functions in question. The functions are related to
the transfer and enumeration of fonts from font servers to clients, limiting
the range of the exposure caused by these bugs.

Specifically, several variables passed from a font server to a
client are not adequately checked, allowing integer overflows to cause
sizes of buffers to be calculated.  These erroneous calculations can
lead to
buffers on the heap and stack overflowing, potentially leading to arbitrary
execution. As stated before, the risk is limited by the fact that only
clients can be affected remotely by these bugs, but in some (non default)
configurations, both xfs and XServer can act as clients to remote font
In these configurations, both xfs and XServer could be potentially compromised
remotely.  Also, it is possible for a local unprivileged user to alter

the configuration of Xserver in such a manner as to force it to load
a font from an arbitrary font server.  Since Xserver is setuid root by
default, a local user may potentially gain root privileges.

To prevent the local privilege escalation, remove the suid bit from the
Xserver binary:
        chmod u-s XFree86

Ensure xfs and Xserver do not include untrusted font servers in their
search paths.

The current CVS version of XFree86 has been updated to correct these

Discovered by:
blexim () hush com of isen
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3


Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger

Promote security and make money with the Hushmail Affiliate Program: 

  By Date           By Thread  

Current thread:
  • Multiple integer overflows in XFree86 (local/remote) blexim (Aug 31)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]