Ubuntu
xfs package

[X font server] integer overflow and heap corruption vulnerability

Bug #148940 reported by disabled.user
254
Affects Status Importance Assigned to Milestone
xfs (Ubuntu)
Fix Released
Critical
Bryce Harrington
Ubuntu ubuntu-7.10-rc
Dapper
Won't Fix
Undecided
Unassigned
Edgy
Won't Fix
Undecided
Unassigned
Feisty
Won't Fix
Undecided
Unassigned
Gutsy
Fix Released
Critical
Bryce Harrington
Ubuntu ubuntu-7.10-rc

Bug Description

Binary package hint: xfs

References:
[1] http://lists.freedesktop.org/archives/xorg-announce/2007-October/000416.html
[2] http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=602

Affected versions:
According to [1], all prior to xfs 1.0.5

Short summary [from [1]:
"Several vulnerabilities have been identified in xfs, the X font
server. The QueryXBitmaps and QueryXExtents protocol requests suffer
from lack of validation of their 'length' parameters.
[...]
These vulnerabilities can lead to code execution in the font
server. On most modern systems, the font server is accessible only for
local clients and runs with reduced privileges. But on some systems it
may still be accessible from remote clients and possibly running with
root privileges, creating an opportunity for remote privilege
escalation."

Patch for xfs 1.0.4 (included in X11R7.3):
ftp://ftp.freedesktop.org/pub/X11R7.3/patches/xorg-xfs-1.0.4-query.diff

The patch could be added to Gutsy before release; although, xfs is part of universe.

CVE References

Revision history for this message
disabled.user (disabled.user-deactivatedaccount) wrote :

Hmm, sorry, wanted to attach the patch, but the link gives a "550 Failed to change directory.".

Revision history for this message
Bryce Harrington (bryce) wrote :

Thanks, I've applied the patch and uploaded to universe.

Changed in xfs:
assignee: nobody → bryceharrington
importance: Undecided → Critical
status: New → Fix Committed
Revision history for this message
Bryce Harrington (bryce) wrote :

xfs (1:1.0.4-2ubuntu1) gutsy; urgency=low

  * CVE-2007-4568: Added debian/patches/100_cve_2007_4568_QueryXBits.patch
    to fix several vulnerabilities with QueryXBitmaps and QueryXExtents
    protocol requests. (Closes LP: #148940)
  * debian/control: Set maintainer to Ubuntu

 -- Bryce Harrington <email address hidden> Thu, 04 Oct 2007 15:18:29 -0700

Changed in xfs:
status: Fix Committed → Fix Released
Revision history for this message
disabled.user (disabled.user-deactivatedaccount) wrote :

Thanks for the quick response. If a backported fix could be applied to the stable releases, it would be very nice, too.

Revision history for this message
Bryce Harrington (bryce) wrote :

Attaching the patch for the convenience of anyone wishing to backport it.

Revision history for this message
Hew (hew) wrote :

Ubuntu Edgy Eft is no longer supported, so a SRU will not be issued for this release. Marking Edgy as Won't Fix.

Changed in xfs:
status: New → Won't Fix
Revision history for this message
LumpyCustard (orangelumpycustard) wrote :

Please close for Feisty as Won't Fix? This goes for all the other Feisty bugs.

Revision history for this message
Hew (hew) wrote :

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Changed in xfs:
status: New → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in xfs (Ubuntu Dapper):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.