Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#40409 - [libxfont] multiple CVE's

Attached to Project: Arch Linux
Opened by Billy Wayne McCann (bwayne) - Saturday, 17 May 2014, 13:53 GMT
Last edited by Laurent Carlier (lordheavy) - Saturday, 17 May 2014, 14:13 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To No-one
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


- CVE-2014-0209: integer overflow of allocations in font metadata file parsing

When a local user who is already authenticated to the X server adds
a new directory to the font path, the X server calls libXfont to open
the fonts.dir and fonts.alias files in that directory and add entries
to the font tables for every line in it. A large file (~2-4 gb) could
cause the allocations to overflow, and allow the remaining data read
from the file to overwrite other memory in the heap.

Affected functions: FontFileAddEntry(), lexAlias()

- CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies

When parsing replies received from the font server, these calls do not
check that the lengths and/or indexes returned by the font server are
within the size of the reply or the bounds of the memory allocated to
store the data, so could write past the bounds of allocated memory when
storing the returned data.

Affected functions: _fs_recv_conn_setup(), fs_read_open_font(),
fs_read_query_info(), fs_read_extent_info(), fs_read_glyphs(),
fs_read_list(), fs_read_list_info()

- CVE-2014-0211: integer overflows calculating memory needs for xfs replies

These calls do not check that their calculations for how much memory
is needed to handle the returned data have not overflowed, so can
result in allocating too little memory and then writing the returned
data past the end of the allocated buffer.

Affected functions: fs_get_reply(), fs_alloc_glyphs(),

Affected Versions

X.Org believes all prior versions of this library contain these flaws,
dating back to its introduction in X11R5.

X.Org believes all prior versions of this library contain these flaws,
dating back to its introduction in X11R5.

update to libXfont 1.4.8

Misc Info
This task depends upon

Closed by  Laurent Carlier (lordheavy)
Saturday, 17 May 2014, 14:13 GMT
Reason for closing:  Fixed
Additional comments about closing:  libxfont-1.4.7-3