Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

23-Year-Old X11 Server Security Vulnerability Exposed

Anonymous Coward writes | about 7 months ago

1

An anonymous reader writes "The recent report of X11/X.Org security in bad shape rings more truth today. The X.Org Foundation announced today that they've found a X11 security issue that dates back to 1991. The issue is a possible stack buffer overflow that could lead to privilege escalation to root and affects all versions of the X Server back to X11R5. After the vulnerability being in the code-base for 23 years, it was finally uncovered via the automated cppcheck static analysis utility."
Link to Original Source

cancel ×

1 comment

Sorry! There are no comments related to the filter you selected.

Let's see how the "dead" NetBSD handles this... (1)

fisted (2295862) | about 7 months ago | (#45896963)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                NetBSD Security Advisory 2014-001

Topic: Stack buffer overflow in libXfont

Version: NetBSD-current: source prior to Tue 7th, 2014
                NetBSD 6.1: affected
                NetBSD 6.0 - 6.0.2: affected
                NetBSD 5.1 - 5.1.2: affected
                NetBSD 5.2: affected

Severity: privilege escalation

Fixed: NetBSD-current: Tue 7th, 2014
                NetBSD-6-0 branch: Tue 7th, 2014
                NetBSD-6-1 branch: Tue 7th, 2014
                NetBSD-6 branch: Tue 7th, 2014
                NetBSD-5-2 branch: Tue 7th, 2014
                NetBSD-5-1 branch: Tue 7th, 2014
                NetBSD-5 branch: Tue 7th, 2014

Teeny versions released later than the fix date will contain the fix.

Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract

A stack buffer overflow in parsing of BDF font files in libXfont was
found that can easily be used to crash X programs using libXfont,
and likely could be exploited to run code with the privileges of
the X program (most nostably, the X server, commonly running as root).

This vulnerability has been assigned CVE-2013-6462

Technical Details

- From the X.org advisory:

Scanning of the libXfont sources with the cppcheck static analyzer
included a report of:

      [lib/libXfont/src/bitmap/bdfread.c:341]: (warning)
              scanf without field width limits can crash with huge input data.

Evaluation of this report by X.Org developers concluded that a BDF font
file containing a longer than expected string could overflow the buffer
on the stack. Testing in X servers built with Stack Protector resulted
in an immediate crash when reading a user-provided specially crafted font.

As libXfont is used to read user-specified font files in all X servers
distributed by X.Org, including the Xorg server which is often run with
root privileges or as setuid-root in order to access hardware, this bug
may lead to an unprivileged user acquiring root privileges in some systems.

This bug appears to have been introduced in the initial RCS version 1.1
checked in on 1991/05/10, and is thus believed to be present in every X11
release starting with X11R5 up to the current libXfont 1.4.6.
(Manual inspection shows it is present in the sources from the X11R5
    tarballs, but not in those from the X11R4 tarballs.)

Solutions and Workarounds

Workaround: restrict access to the X server.

Solutions: a fix is included in the following versions:

xorg: xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c
HEAD 1.3
netbsd-6 1.1.1.2.2.1
netbsd-6-1 1.1.1.2.6.1
netbsd-6-0 1.1.1.2.4.1
netbsd-5 1.1.1.1.2.2
netbsd-5-2 1.1.1.1.2.1.4.1
netbsd-5-1 1.1.1.1.2.1.2.1

xfree: xsrc/xfree/xc/lib/font/bitmap/bdfread.c
HEAD 1.4
netbsd-6 1.2.8.1
netbsd-6-1 1.2.14.1
netbsd-6-0 1.2.10.1
netbsd-5 1.2.2.1
netbsd-5-2 1.2.12.1
netbsd-5-1 1.2.6.1

To obtain fixed binaries, fetch the appropriate xbase.tgz from a daily
build later than the fix dates, i.e.
http://nyftp.netbsd.org/pub/NetBSD-daily/ [netbsd.org] ///binary/sets/xbase.tgz
with a date 20140108* or larger, and your release version and architecture,
and then extract the libXfont shared library files:

for X.org environments, netbsd-6* and HEAD:
cd / && tar xzpf /path/to/xbase.tgz ./usr/X11R7/lib/libXfont.so \ ./usr/X11R7/lib/libXfont.so.3 \ ./usr/X11R7/lib/libXfont.so.3.0

for X.org environments and netbsd-5*:
cd / && tar xzpf /path/to/xbase.tgz ./usr/X11R7/lib/libXfont.so \ ./usr/X11R7/lib/libXfont.so.2 \ ./usr/X11R7/lib/libXfont.so.2.0

and for xfree environments:
cd / && tar xzpf /path/to/xbase.tgz ./usr/X11R6/lib/libXfont.so \ ./usr/X11R6/lib/libXfont.so.1 \ ./usr/X11R6/lib/libXfont.so.1.5

To build from source, update bdfread.c to the appropriate version and then
"./build.sh -x" from the top of the src tree.

Thanks To
=========

X.Org thanks the authors of the cppcheck tool for making their static
analyzer available as an open source project we can all benefit from.
http://cppcheck.sourceforge.net/ [sourceforge.net]

NetBSD would like to thank X.org for looking for and fixing this
vulnerability.

Revision History

        2014-01-07 Initial release

More Information

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
    http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-001.txt.asc [netbsd.org]

Information about NetBSD and NetBSD security can be found at
http://www.netbsd.org/ [netbsd.org] and http://www.netbsd.org/Security/ [netbsd.org] .

Copyright 2014, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2014-001.txt,v 1.2 2014/01/07 21:04:33 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (NetBSD)

iQIcBA[damn slashdot junk filter]Zj1ZHkf
=wseV
-----END PGP SIGNATURE-----

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>