Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Linux :: Apps A-M :: bt959.txt

Multiple integer overflows in XFree86 (local/remote)

Hash: SHA1

Remote and local vulnerabilities in XFree86 font libraries

Product:         XFree86 (4.3.0)
Impact:          Potential privilege escalation / remote code execution
Bug class:       Integer overflow
Vendor notified: Yes
Fix available:   Yes (see end of advisory)

I have identified several bugs in the font libraries of the current version
(4.3.0) of the XFree86 font libraries. These bugs could potentially
lead to the execution of arbitrary code by a remote user in any process
which calls the functions in question. The functions are related to
the transfer and enumeration of fonts from font servers to clients, limiting
the range of the exposure caused by these bugs.

Specifically, several variables passed from a font server to a
client are not adequately checked, allowing integer overflows to cause
sizes of buffers to be calculated.  These erroneous calculations can
lead to
buffers on the heap and stack overflowing, potentially leading to arbitrary
execution. As stated before, the risk is limited by the fact that only
clients can be affected remotely by these bugs, but in some (non default)
configurations, both xfs and XServer can act as clients to remote font
In these configurations, both xfs and XServer could be potentially compromised
remotely.  Also, it is possible for a local unprivileged user to alter

the configuration of Xserver in such a manner as to force it to load
a font from an arbitrary font server.  Since Xserver is setuid root by
default, a local user may potentially gain root privileges.

To prevent the local privilege escalation, remove the suid bit from the
Xserver binary:
        chmod u-s XFree86

Ensure xfs and Xserver do not include untrusted font servers in their
search paths.

The current CVS version of XFree86 has been updated to correct these

Discovered by: of isen
Note: This signature can be verified at
Version: Hush 2.3


Concerned about your privacy? Follow this link to get
FREE encrypted email:

Free, ultra-private instant messaging with Hush Messenger

Promote security and make money with the Hushmail Affiliate Program:

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH