Bugzilla – Bug 921978
VUL-0: CVE-2015-1802: libXFont: BDF file parsing issues in libXfont
Last modified: 2017-05-30 12:01:31 UTC
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2015-03-24. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/61139
public: http://lists.x.org/archives/xorg-announce/2015-March/002550.html X.Org Security Advisory: March 17, 2015 More BDF file parsing issues in libXfont ======================================== Description: ============ Ilja van Sprundel, a security researcher with IOActive, has discovered an issue in the parsing of BDF font files by libXfont. Additional testing by Alan Coopersmith and William Robinet with the American Fuzzy Lop (afl) tool uncovered two more issues in the parsing of BDF font files. As libXfont is used by the X server to read font files, and an unprivileged user with access to the X server can tell the X server to read a given font file from a path of their choosing, these vulnerabilities have the potential to allow unprivileged users to run code with the privileges of the X server (often root access). The vulnerabilities are: - CVE-2015-1802: bdfReadProperties: property count needs range check The bdf parser reads a count for the number of properties defined in a font from the font file, and allocates arrays with entries for each property based on that count. It never checked to see if that count was negative, or large enough to overflow when multiplied by the size of the structures being allocated, and could thus allocate the wrong buffer size, leading to out of bounds writes. - CVE-2015-1803: bdfReadCharacters: bailout if a char's bitmap cannot be read If the bdf parser failed to parse the data for the bitmap for any character, it would proceed with an invalid pointer to the bitmap data and later crash when trying to read the bitmap from that pointer. - CVE-2015-1804: bdfReadCharacters: ensure metrics fit into xCharInfo struct The bdf parser read metrics values as 32-bit integers, but stored them into 16-bit integers. Overflows could occur in various operations leading to out-of-bounds memory access. Affected Versions ================= X.Org believes all prior versions of this library contain these flaws, dating back to its introduction in X11R5. Fixes ===== Fixes are available in the patches for these libXfont git commits: 2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e 78c2e3d70d29698244f70164428bd2868c0ab34c 2351c83a77a478b49cba6beb2ad386835e264744 Which are now available from: git://anongit.freedesktop.org/git/xorg/lib/libXfont http://cgit.freedesktop.org/xorg/lib/libXfont/ Fixes will also be included in the libXfont 1.5.1 & 1.4.9 module releases from X.Org. Thanks ====== X.Org thanks Ilja van Sprundel of IOActive, Alan Coopersmith of Oracle, and William Robinet of Conostix for reporting these issues to our security team and helping evaluate and test the fixes; and thanks Michal Zalewski and the American Fuzzy Lop community for providing their fuzz testing tool as an open source project we can all benefit from at http://lcamtuf.coredump.cx/afl/ . -- -Alan Coopersmith- alan.coopersmith at oracle.com X.Org Security Response Team - xorg-security at lists.x.org
BTW, I've updated X11:XOrg/libXfont meanwhile and opened submit request for openSUSE:Factory.
Resubmitted SLE10-SP4 because the original didn't contain fix from bnc#915810. That should be all -> reassigning to security team.
This is an autogenerated message for OBS integration: This bug (921978) was mentioned in https://build.opensuse.org/request/show/291609 13.2+13.1 / libXfont
openSUSE-SU-2015:0614-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 921978 CVE References: CVE-2015-1802,CVE-2015-1803,CVE-2015-1804 Sources used: openSUSE 13.2 (src): libXfont-1.5.0-2.4.1 openSUSE 13.1 (src): libXfont-1.4.6-2.12.1
SUSE-SU-2015:0674-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 921978 CVE References: CVE-2015-1802,CVE-2015-1803,CVE-2015-1804 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): xorg-x11-libs-7.4-8.26.44.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): xorg-x11-libs-7.4-8.26.44.1 SUSE Linux Enterprise Server 11 SP3 (src): xorg-x11-libs-7.4-8.26.44.1 SUSE Linux Enterprise Desktop 11 SP3 (src): xorg-x11-libs-7.4-8.26.44.1
SUSE-SU-2015:0702-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 921978 CVE References: CVE-2015-1802,CVE-2015-1803,CVE-2015-1804 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): libXfont-1.4.7-4.1 SUSE Linux Enterprise Server 12 (src): libXfont-1.4.7-4.1 SUSE Linux Enterprise Desktop 12 (src): libXfont-1.4.7-4.1
released
Hi All, I saw a build request against SLES 11SP1 for this CVE, just wondering if we have already made the fix happen for SLES 11SP1?
This is an autogenerated message for OBS integration: This bug (921978) was mentioned in https://build.opensuse.org/request/show/499651 Factory / libXfont