execution security issue
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libxfont (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
This libXfont issue could allow attackers to execute privileges with the same rights as the X.Org Server, which is generally root. The advisory reads:
Ilja van Sprundel, a security researcher with IOActive, has discovered an issue in the parsing of BDF font files by libXfont. Additional testing by Alan Coopersmith and William Robinet with the American Fuzzy Lop (afl) tool uncovered two more issues in the parsing of BDF font files.
As libXfont is used by the X server to read font files, and an unprivileged user with access to the X server can tell the X server to read a given font file from a path of their choosing, these vulnerabilities have the potential to allow unprivileged users to run code with the privileges of the X server (often root access).
The resulting CVEs are "CVE-2015-1802: bdfReadProperties: property count needs range check", "CVE-2015-1803: bdfReadCharacters: bailout if a char's bitmap cannot be read", and "CVE-2015-1804: bdfReadCharacters: ensure metrics fit into xCharInfo struct."
http://
ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: libxfont1 1:1.4.99.901-1
ProcVersionSign
Uname: Linux 3.19.0-9-generic i686
NonfreeKernelMo
.proc.driver.
.proc.driver.
NVRM version: NVIDIA UNIX x86 Kernel Module 346.47 Thu Feb 19 18:02:21 PST 2015
GCC version: gcc version 4.9.2 (Ubuntu 4.9.2-10ubuntu8)
ApportVersion: 2.16.2-0ubuntu3
Architecture: i386
CurrentDesktop: GNOME
Date: Tue Mar 17 18:05:30 2015
DistUpgraded: Fresh install
DistroCodename: vivid
DistroVariant: ubuntu
DkmsStatus:
nvidia-346, 346.47, 3.19.0-9-generic, i686: installed
vboxhost, 4.3.26, 3.19.0-9-generic, i686: installed
GraphicsCard:
NVIDIA Corporation GM107 [GeForce GTX 750] [10de:1381] (rev a2) (prog-if 00 [VGA controller])
Subsystem: Gigabyte Technology Co., Ltd Device [1458:362e]
Lsusb:
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 002: ID 046d:c50e Logitech, Inc. Cordless Mouse Receiver
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
MachineType: ASUSTEK COMPUTER INC P5W DH Deluxe
ProcKernelCmdLine: BOOT_IMAGE=
SourcePackage: libxfont
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 07/22/2010
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: 3002
dmi.board.
dmi.board.name: P5W DH Deluxe
dmi.board.vendor: ASUSTeK Computer INC.
dmi.board.version: Rev 1.xx
dmi.chassis.
dmi.chassis.type: 3
dmi.chassis.vendor: Chassis Manufacture
dmi.chassis.
dmi.modalias: dmi:bvnAmerican
dmi.product.name: P5W DH Deluxe
dmi.product.
dmi.sys.vendor: ASUSTEK COMPUTER INC
version.compiz: compiz 1:0.9.12.
version.libdrm2: libdrm2 2.4.59-0ubuntu1
version.
version.
version.
version.
version.
version.
version.
version.
version.
xserver.bootTime: Tue Mar 17 07:28:42 2015
xserver.configfile: default
xserver.devices:
input Power Button KEYBOARD, id 6
input Power Button KEYBOARD, id 7
input Logitech USB RECEIVER MOUSE, id 8
input AT Translated Set 2 keyboard KEYBOARD, id 9
xserver.errors:
Failed to load module "fbdev" (module does not exist, 0)
Failed to load module "fbdev" (module does not exist, 0)
xserver.logfile: /var/log/Xorg.0.log
xserver.outputs:
xserver.version: 2:1.17.1-0ubuntu2
libxfont (1:1.4. 99.901- 1ubuntu1) vivid; urgency=medium
* SECURITY UPDATE: arbitrary code exection via invalid property count patches/ CVE-2015- 1802.patch: check for integer overflow in bitmap/ bdfread. c. patches/ CVE-2015- 1803.patch: bail out if bitmap can't be read bdfread. c. patches/ CVE-2015- 1804.patch: ensure metrics fit in struct in bitmap/ bdfread. c.
- debian/
src/
- CVE-2015-1802
* SECURITY UPDATE: arbitrary code execution via bitmap data parse failure
- debian/
in src/bitmap/
- CVE-2015-1803
* SECURITY UPDATE: arbitrary code execution via invalid metrics
- debian/
src/
- CVE-2015-1804
-- Marc Deslauriers <email address hidden> Wed, 18 Mar 2015 07:26:08 -0400