From owner-freebsd-x11@FreeBSD.ORG Tue Oct 2 18:01:35 2007 Return-Path: Delivered-To: x11@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6F1FD16A417 for ; Tue, 2 Oct 2007 18:01:35 +0000 (UTC) (envelope-from r.c.ladan@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.232]) by mx1.freebsd.org (Postfix) with ESMTP id CD99213C46A for ; Tue, 2 Oct 2007 18:01:34 +0000 (UTC) (envelope-from r.c.ladan@gmail.com) Received: by wx-out-0506.google.com with SMTP id i29so3105443wxd for ; Tue, 02 Oct 2007 11:01:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=KU1BRmd27pVD1UY7u4sRR2JWBgwuuKS25Eeysr1vsuk=; b=nxEcA9JVd0xVicaTz5KUJLERgwALq++h7dC7l0eFbXc88gjMY+Wu93+D1P3CvFJUmMcUJNkE3PGkrvIKMWUkSiwSaZmomtMDOe3esyxRKOykVwad0qiSiWRsFMvKrTzFSeydvicsrCJX8Zjzi1QEgSYWuZjcKS2rOYT+asKaQM0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=HXZLc7ltir8ScSSTBxFzqYEOWHKnmNDNJISfKH64flb+f7O8jLRDKpX2DMpx6TjZ6ECcK4pbcUYgYF+TiLqt4Bcaj0bw6uwc9Oq839V9T5hPT9UxMeZhC6qphL0qE5fiwMXa3wv+FnPeEPfOGEVr4YH9jMnEbdRwxAxW+6/t4EA= Received: by 10.114.107.19 with SMTP id f19mr2593387wac.1191348090766; Tue, 02 Oct 2007 11:01:30 -0700 (PDT) Received: by 10.114.112.11 with HTTP; Tue, 2 Oct 2007 11:01:30 -0700 (PDT) Message-ID: Date: Tue, 2 Oct 2007 20:01:30 +0200 From: "Rene Ladan" To: x11@freebsd.org In-Reply-To: <47027C06.4000703@laas.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <47027C06.4000703@laas.fr> Cc: Subject: Fwd: [ANNOUNCE] X.Org security advisory: multiple vulnerabilities in X font server X-BeenThere: freebsd-x11@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: X11 on FreeBSD -- maintaining and support List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Oct 2007 18:01:35 -0000 FYI, Rene ---------- Forwarded message ---------- From: Matthieu Herrb Date: 2 okt. 2007 19:12 Subject: [ANNOUNCE] X.Org security advisory: multiple vulnerabilities in X font server To: xorg-announce@lists.freedesktop.org, xorg -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 X.Org security advisory, October 2nd, 2007 Multiple vulnerabilities in X font server CVE ID: CVE-2007-4568 Overview Several vulnerabilities have been identified in xfs, the X font server. The QueryXBitmaps and QueryXExtents protocol requests suffer from lack of validation of their 'length' parameters. Maliciously crafted requests can either cause two different problems with both requests: * An integer overflow in the computation of the size of a dynamic buffer can lead to a heap overflow in the build_range() function. * An arbitrary number of bytes on the heap can be swapped by the swap_char2b() function. Impact These vulnerabilities can lead to code execution in the font server. On most modern systems, the font server is accessible only for local clients and runs with reduced privileges. But on some systems it may still be accessible from remote clients and possibly running with root privileges, creating an opportunity for remote privilege escalation. Affected versions All X.Org released versions of xfs are vulnerable to these problems. Other implementations of the font server based on the X11R6 sample implementation are likely to be vulnerable too. Fix A fix for these vulnerabilities is included in xfs 1.0.5. A patch for xfs 1.0.4 (included in X11R7.3) that should apply on former versions with minor tweaks is also available: ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xfs-1.0.4-query.diff MD5: e61a30a8cff105b86f8b924d84508e24 xorg-xfs-1.0.4-query.diff SHA1: 093db0ce2c134ebc40e47a40db89503dad2b0f3e xorg-xfs-1.0.4-query.diff Thanks These vulnerabilities were discovered by Sean Larsson from iDefense Labs. - -- Matthieu Herrb _______________________________________________ xorg mailing list xorg@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/xorg -- GPG fingerprint = E738 5471 D185 7013 0EE0 4FC8 3C1D 6F83 12E1 84F6 (subkeys.pgp.net) "It won't fit on the line." -- me, 2001