FS#40409 - [libxfont] multiple CVE's
Attached to Project:
Arch Linux
Opened by Billy Wayne McCann (bwayne) - Saturday, 17 May 2014, 13:53 GMT
Last edited by Laurent Carlier (lordheavy) - Saturday, 17 May 2014, 14:13 GMT
Opened by Billy Wayne McCann (bwayne) - Saturday, 17 May 2014, 13:53 GMT
Last edited by Laurent Carlier (lordheavy) - Saturday, 17 May 2014, 14:13 GMT
|
Details
Description:
- CVE-2014-0209: integer overflow of allocations in font metadata file parsing When a local user who is already authenticated to the X server adds a new directory to the font path, the X server calls libXfont to open the fonts.dir and fonts.alias files in that directory and add entries to the font tables for every line in it. A large file (~2-4 gb) could cause the allocations to overflow, and allow the remaining data read from the file to overwrite other memory in the heap. Affected functions: FontFileAddEntry(), lexAlias() - CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies When parsing replies received from the font server, these calls do not check that the lengths and/or indexes returned by the font server are within the size of the reply or the bounds of the memory allocated to store the data, so could write past the bounds of allocated memory when storing the returned data. Affected functions: _fs_recv_conn_setup(), fs_read_open_font(), fs_read_query_info(), fs_read_extent_info(), fs_read_glyphs(), fs_read_list(), fs_read_list_info() - CVE-2014-0211: integer overflows calculating memory needs for xfs replies These calls do not check that their calculations for how much memory is needed to handle the returned data have not overflowed, so can result in allocating too little memory and then writing the returned data past the end of the allocated buffer. Affected functions: fs_get_reply(), fs_alloc_glyphs(), fs_read_extent_info() Affected Versions ================= X.Org believes all prior versions of this library contain these flaws, dating back to its introduction in X11R5. X.Org believes all prior versions of this library contain these flaws, dating back to its introduction in X11R5. Solution ================= update to libXfont 1.4.8 http://cgit.freedesktop.org/xorg/lib/libXfont/snapshot/libXfont-libXfont-1.4.8.tar.gz Misc Info ================= Announcement: http://seclists.org/oss-sec/2014/q2/302 |
This task depends upon
Closed by Laurent Carlier (lordheavy)
Saturday, 17 May 2014, 14:13 GMT
Reason for closing: Fixed
Additional comments about closing: libxfont-1.4.7-3
Saturday, 17 May 2014, 14:13 GMT
Reason for closing: Fixed
Additional comments about closing: libxfont-1.4.7-3