Ubuntu
libxfont package

execution security issue

Bug #1433214 reported by dino99
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libxfont (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

This libXfont issue could allow attackers to execute privileges with the same rights as the X.Org Server, which is generally root. The advisory reads:
Ilja van Sprundel, a security researcher with IOActive, has discovered an issue in the parsing of BDF font files by libXfont. Additional testing by Alan Coopersmith and William Robinet with the American Fuzzy Lop (afl) tool uncovered two more issues in the parsing of BDF font files.

As libXfont is used by the X server to read font files, and an unprivileged user with access to the X server can tell the X server to read a given font file from a path of their choosing, these vulnerabilities have the potential to allow unprivileged users to run code with the privileges of the X server (often root access).
The resulting CVEs are "CVE-2015-1802: bdfReadProperties: property count needs range check", "CVE-2015-1803: bdfReadCharacters: bailout if a char's bitmap cannot be read", and "CVE-2015-1804: bdfReadCharacters: ensure metrics fit into xCharInfo struct."

http://www.phoronix.com/scan.php?page=news_item&px=BDF-File-Parsing-libXfont

ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: libxfont1 1:1.4.99.901-1
ProcVersionSignature: Ubuntu 3.19.0-9.9-generic 3.19.1
Uname: Linux 3.19.0-9-generic i686
NonfreeKernelModules: nvidia
.proc.driver.nvidia.registry: Binary: ""
.proc.driver.nvidia.version:
 NVRM version: NVIDIA UNIX x86 Kernel Module 346.47 Thu Feb 19 18:02:21 PST 2015
 GCC version: gcc version 4.9.2 (Ubuntu 4.9.2-10ubuntu8)
ApportVersion: 2.16.2-0ubuntu3
Architecture: i386
CurrentDesktop: GNOME
Date: Tue Mar 17 18:05:30 2015
DistUpgraded: Fresh install
DistroCodename: vivid
DistroVariant: ubuntu
DkmsStatus:
 nvidia-346, 346.47, 3.19.0-9-generic, i686: installed
 vboxhost, 4.3.26, 3.19.0-9-generic, i686: installed
GraphicsCard:
 NVIDIA Corporation GM107 [GeForce GTX 750] [10de:1381] (rev a2) (prog-if 00 [VGA controller])
   Subsystem: Gigabyte Technology Co., Ltd Device [1458:362e]
Lsusb:
 Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
 Bus 003 Device 002: ID 046d:c50e Logitech, Inc. Cordless Mouse Receiver
 Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
 Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
MachineType: ASUSTEK COMPUTER INC P5W DH Deluxe
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.19.0-9-generic root=UUID=7b1f4a51-558f-468f-85e0-f815d2f791e1 ro
SourcePackage: libxfont
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 07/22/2010
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: 3002
dmi.board.asset.tag: To Be Filled By O.E.M.
dmi.board.name: P5W DH Deluxe
dmi.board.vendor: ASUSTeK Computer INC.
dmi.board.version: Rev 1.xx
dmi.chassis.asset.tag: Asset-1234567890
dmi.chassis.type: 3
dmi.chassis.vendor: Chassis Manufacture
dmi.chassis.version: Chassis Version
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr3002:bd07/22/2010:svnASUSTEKCOMPUTERINC:pnP5WDHDeluxe:pvrSystemVersion:rvnASUSTeKComputerINC.:rnP5WDHDeluxe:rvrRev1.xx:cvnChassisManufacture:ct3:cvrChassisVersion:
dmi.product.name: P5W DH Deluxe
dmi.product.version: System Version
dmi.sys.vendor: ASUSTEK COMPUTER INC
version.compiz: compiz 1:0.9.12.1+15.04.20150303-0ubuntu1
version.libdrm2: libdrm2 2.4.59-0ubuntu1
version.libgl1-mesa-dri: libgl1-mesa-dri 10.5.0-0ubuntu1
version.libgl1-mesa-dri-experimental: libgl1-mesa-dri-experimental N/A
version.libgl1-mesa-glx: libgl1-mesa-glx 10.5.0-0ubuntu1
version.nvidia-graphics-drivers: nvidia-graphics-drivers N/A
version.xserver-xorg-core: xserver-xorg-core 2:1.17.1-0ubuntu2
version.xserver-xorg-input-evdev: xserver-xorg-input-evdev 1:2.9.0-1ubuntu2
version.xserver-xorg-video-ati: xserver-xorg-video-ati N/A
version.xserver-xorg-video-intel: xserver-xorg-video-intel N/A
version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.11-1ubuntu2build1
xserver.bootTime: Tue Mar 17 07:28:42 2015
xserver.configfile: default
xserver.devices:
 input Power Button KEYBOARD, id 6
 input Power Button KEYBOARD, id 7
 input Logitech USB RECEIVER MOUSE, id 8
 input AT Translated Set 2 keyboard KEYBOARD, id 9
xserver.errors:
 Failed to load module "fbdev" (module does not exist, 0)
 Failed to load module "fbdev" (module does not exist, 0)
xserver.logfile: /var/log/Xorg.0.log
xserver.outputs:

xserver.version: 2:1.17.1-0ubuntu2

CVE References

Revision history for this message
dino99 (9d9) wrote :
Revision history for this message
dino99 (9d9) wrote :

libxfont (1:1.4.99.901-1ubuntu1) vivid; urgency=medium

  * SECURITY UPDATE: arbitrary code exection via invalid property count
    - debian/patches/CVE-2015-1802.patch: check for integer overflow in
      src/bitmap/bdfread.c.
    - CVE-2015-1802
  * SECURITY UPDATE: arbitrary code execution via bitmap data parse failure
    - debian/patches/CVE-2015-1803.patch: bail out if bitmap can't be read
      in src/bitmap/bdfread.c.
    - CVE-2015-1803
  * SECURITY UPDATE: arbitrary code execution via invalid metrics
    - debian/patches/CVE-2015-1804.patch: ensure metrics fit in struct in
      src/bitmap/bdfread.c.
    - CVE-2015-1804

 -- Marc Deslauriers <email address hidden> Wed, 18 Mar 2015 07:26:08 -0400

Changed in libxfont (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.