Bugzilla – Bug 854915
VUL-0: CVE-2013-6462: xorg-x11: sscanf without bounds in libXfont bdfread.c
Last modified: 2014-07-18 15:09:37 UTC
Via private list: Looking through some cppcheck output on libXfont, I noticed a bunch of warnings of the form: [lib/libXfont/src/bitmap/bdfread.c:341]: (warning) scanf without field width limits can crash with huge input data. where we use sscanf to parse strings without specifying a length limit. In most cases we appear to luck out because both input & output buffers are 1024 chars, but one case appears to allow overflow, which is easily fixed: --- a/src/bitmap/bdfread.c +++ b/src/bitmap/bdfread.c @@ -338,7 +338,7 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileSt char charName[100]; int ignore; - if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) { + if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) { bdfError("bad character name in BDF file\n"); goto BAILOUT; /* bottom of function, free and return error */ } I made a bdf font that had ~800 characters there and ran on a test system: mkfontdir . xset +fp `pwd` xfd -fn '-sun-bdftest startchar-----12-120-75-75-p-160-sunolcursor-1' xlsfonts -lll -fn '-sun-bdftest startchar-----12-120-75-75-p-160-sunolcursor-1' xlsatoms | grep bdfReadChar and I could see that it had read the font & created an atom from the oversized character name, but not crashed, so I guess my stack layout is lucky enough that I didn't smash anything important. Does anyone see anything I'm missing here? This is a user-controllable buffer overflow in our setuid-root X server, right? -alan-
Created attachment 571301 [details] testcase font
and its EMBARGOED.
Any news on that one?
a released date was not set yet, it will probably be in the new year
Ok. And you believe this will be the official patch? I'm asking since there isn't anything yet in libXfont git master ...
no other version was discussed so far. we keep this bug updated if new stuff comes in ;)
Created attachment 572968 [details] CVE-2013-XXX.txt draft advisory by x.org
Created attachment 572969 [details] 0001-CVE-2013-XXXX-unlimited-sscanf-can-overflow-stack-bu.patch patch 1 to fix the current issue
Created attachment 572970 [details] 0002-Limit-additional-sscanf-strings-to-fit-buffer-sizes.patch sceond patch ... limit mor eof the sscanf present in the bdf parser
> sizes > > None of these could currently result in buffer overflow, as the > input and output buffers were the same size, but adding limits > helps ensure we keep it that way, if we ever resize any of these > in the future. This is being treated as security hardening, so no CVE. > From aeabb3efa6905e11c479e2e5319f2b6b3ab22009 Mon Sep 17 00:00:00 > 2001 From: Alan Coopersmith <alan.coopersmith@oracle.com> Date: > Mon, 23 Dec 2013 18:34:02 -0800 Subject: [PATCH:libXfont 1/2] > CVE-2013-XXXX: unlimited sscanf can overflow > stack buffer in bdfReadCharacters() > > Fixes cppcheck warning: [lib/libXfont/src/bitmap/bdfread.c:341]: > (warning) scanf without field width limits can crash with huge > input data. Please use CVE-2013-6462 for this issue. To note, this is also the issue for which the security advisory applies.
Went public. The final patch again is at: http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=4d024ac10f964f6bd372ae0dd14f02772a6e5f63
openSUSE_Factory/sle12: SR#213116
This is an autogenerated message for OBS integration: This bug (854915) was mentioned in https://build.opensuse.org/request/show/213116 Factory / libXfont
The SWAMPID for this issue is 55674. This issue was rated as moderate. Please submit fixed packages until 2014-01-22. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
openSUSE 12.2/12.3/13.1: SR#213159
Still maintained sle products: sle11-sp3 --> xorg-x11-libs sle11-sp2 --> xorg-x11-libs sle11-sp1-x86_64 --> xorg-x11-libs sle10-sp3-x86_64 --> xorg-x11-libs sles9-sp3-teradata-x86_64 --> XFree86
This is an autogenerated message for OBS integration: This bug (854915) was mentioned in https://build.opensuse.org/request/show/213159 13.1+12.2+12.3 / libXfont
> sle11-sp3 --> xorg-x11-libs > sle11-sp2 --> xorg-x11-libs > sle11-sp1-x86_64 --> xorg-x11-libs --> SR#30412
> sle10-sp3-x86_64 --> xorg-x11-libs Wrong, that's *xorg-x11*.
sle10-sp3-x86_64/xorg-x11: SR#30413
sles9-sp3-teradata-x86_64: SR#30415
package updates done
openSUSE-SU-2014:0073-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 854915 CVE References: CVE-2013-6462 Sources used: openSUSE 13.1 (src): libXfont-1.4.6-2.4.1 openSUSE 12.3 (src): libXfont-1.4.5-4.4.1 openSUSE 12.2 (src): libXfont-1.4.5-2.4.1
openSUSE-SU-2014:0075-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 854915 CVE References: CVE-2013-6462 Sources used: openSUSE 11.4 (src): xorg-x11-libs-7.6-17.42.1
released
Update released for: xorg-x11-devel, xorg-x11-libs, xorg-x11-libs-debuginfo, xorg-x11-libs-debugsource Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: xorg-x11-devel, xorg-x11-devel-32bit, xorg-x11-devel-64bit, xorg-x11-libs, xorg-x11-libs-32bit, xorg-x11-libs-64bit, xorg-x11-libs-debuginfo, xorg-x11-libs-debuginfo-32bit, xorg-x11-libs-debuginfo-64bit, xorg-x11-libs-debuginfo-x86, xorg-x11-libs-debugsource, xorg-x11-libs-x86 Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
Update released for: xorg-x11-devel, xorg-x11-devel-32bit, xorg-x11-devel-64bit, xorg-x11-libs, xorg-x11-libs-32bit, xorg-x11-libs-64bit, xorg-x11-libs-debuginfo, xorg-x11-libs-debuginfo-32bit, xorg-x11-libs-debuginfo-64bit, xorg-x11-libs-debuginfo-x86, xorg-x11-libs-debugsource, xorg-x11-libs-x86 Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
Update released for: xorg-x11, xorg-x11-Xnest, xorg-x11-Xprt, xorg-x11-Xvfb, xorg-x11-Xvnc, xorg-x11-debuginfo, xorg-x11-devel, xorg-x11-doc, xorg-x11-driver-options, xorg-x11-fonts-100dpi, xorg-x11-fonts-75dpi, xorg-x11-fonts-cyrillic, xorg-x11-fonts-scalable, xorg-x11-fonts-syriac, xorg-x11-libs, xorg-x11-man, xorg-x11-sdk, xorg-x11-server, xorg-x11-server-glx Products: SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: XFree86, XFree86-Mesa, XFree86-Mesa-devel, XFree86-Xnest, XFree86-Xprt, XFree86-Xvfb, XFree86-Xvnc, XFree86-devel, XFree86-doc, XFree86-driver-options, XFree86-fonts-100dpi, XFree86-fonts-75dpi, XFree86-fonts-cyrillic, XFree86-fonts-scalable, XFree86-fonts-syriac, XFree86-libs, XFree86-man, XFree86-server, XFree86-server-glx, km_drm Products: SUSE-CORE 9-SP3-TERADATA (x86_64)
SUSE-SU-2014:0219-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 854915 CVE References: CVE-2013-6462 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): xorg-x11-libs-7.4-8.26.40.1 SUSE Linux Enterprise Software Development Kit 11 SP2 (src): xorg-x11-libs-7.4-8.26.40.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): xorg-x11-libs-7.4-8.26.40.1 SUSE Linux Enterprise Server 11 SP3 (src): xorg-x11-libs-7.4-8.26.40.1 SUSE Linux Enterprise Server 11 SP2 for VMware (src): xorg-x11-libs-7.4-8.26.40.1 SUSE Linux Enterprise Server 11 SP2 (src): xorg-x11-libs-7.4-8.26.40.1 SUSE Linux Enterprise Desktop 11 SP3 (src): xorg-x11-libs-7.4-8.26.40.1 SUSE Linux Enterprise Desktop 11 SP2 (src): xorg-x11-libs-7.4-8.26.40.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2014-07-01. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/57862
*** Bug 882908 has been marked as a duplicate of this bug. ***
Is there a release date/ETA for the LTSS package for SLES11SP1? I do not see anything listed on the CVE page: http://support.novell.com/security/cve/CVE-2013-6462.html
Currently unknown. It enters QA currently, but it might take some weeks.
Update released for: xorg-x11-devel, xorg-x11-devel-32bit, xorg-x11-libs, xorg-x11-libs-32bit, xorg-x11-libs-debuginfo, xorg-x11-libs-debuginfo-32bit, xorg-x11-libs-debuginfo-x86, xorg-x11-libs-debugsource, xorg-x11-libs-x86 Products: SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64) SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64)
SUSE-SU-2014:0881-1: An update that fixes 19 vulnerabilities is now available. Category: security (moderate) Bug References: 815451,821663,854915,857544 CVE References: CVE-2013-1984,CVE-2013-1985,CVE-2013-1986,CVE-2013-1988,CVE-2013-1990,CVE-2013-1991,CVE-2013-1992,CVE-2013-1995,CVE-2013-1996,CVE-2013-1998,CVE-2013-1999,CVE-2013-2000,CVE-2013-2001,CVE-2013-2003,CVE-2013-2063,CVE-2013-6462,CVE-2014-0209,CVE-2014-0210,CVE-2014-0211 Sources used: SUSE Linux Enterprise Server 11 SP1 LTSS (src): xorg-x11-libs-7.4-8.26.42.4