FS#44226 - [libxfont] CVE-2015-1802, CVE-2015-1803 and CVE-2015-1804 fixed in libxfont 1.5.1

Attached to Project: Arch Linux
Opened by Remi Gacogne (rgacogne) - Tuesday, 17 March 2015, 16:57 GMT
Last edited by Andreas Radke (AndyRTR) - Tuesday, 17 March 2015, 19:58 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To No-one
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Hello,

libxfont 1.5.1 has been released [0], addressing several security issues [1][2][3][4], allowing at least local privilege escalation.

[0]: http://cgit.freedesktop.org/xorg/lib/libXfont/tag/?id=libXfont-1.5.1
[1]: http://www.openwall.com/lists/oss-security/2015/03/17/5
[2]: CVE-2015-1802: bdfReadProperties: property count needs range check

The bdf parser reads a count for the number of properties defined in
a font from the font file, and allocates arrays with entries for each
property based on that count. It never checked to see if that count
was negative, or large enough to overflow when multiplied by the size
of the structures being allocated, and could thus allocate the wrong
buffer size, leading to out of bounds writes.

[3]: CVE-2015-1803: bdfReadCharacters: bailout if a char's bitmap cannot be read

If the bdf parser failed to parse the data for the bitmap for any
character, it would proceed with an invalid pointer to the bitmap
data and later crash when trying to read the bitmap from that pointer.

[4]: CVE-2015-1804: bdfReadCharacters: ensure metrics fit into xCharInfo struct

The bdf parser read metrics values as 32-bit integers, but stored
them into 16-bit integers. Overflows could occur in various operations
leading to out-of-bounds memory access.
This task depends upon

Closed by  Andreas Radke (AndyRTR)
Tuesday, 17 March 2015, 19:58 GMT
Reason for closing:  Fixed

Loading...