Advertisement
Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.
Hi all, please see this major site announcement: https://www.boards.ie/discussion/2058427594/boards-ie-2026

X.Org Security Advisory: CVE-2013-6462: Stack buffer overflow in parsing of BDF font

  • 10-01-2014 02:56PM
    #1
    [-0-]
    Closed Accounts Posts: 3,981 ✭✭✭


    X.Org Security Advisory: January 7, 2014 - CVE-2013-6462
    Stack buffer overflow in parsing of BDF font files in libXfont
    ==============================================================

    Description:
    ============

    Scanning of the libXfont sources with the cppcheck static analyzer
    included a report of:

    [lib/libXfont/src/bitmap/bdfread.c:341]: (warning)
    scanf without field width limits can crash with huge input data.

    Evaluation of this report by X.Org developers concluded that a BDF font
    file containing a longer than expected string could overflow the buffer
    on the stack. Testing in X servers built with Stack Protector resulted
    in an immediate crash when reading a user-provided specially crafted font.

    As libXfont is used to read user-specified font files in all X servers
    distributed by X.Org, including the Xorg server which is often run with
    root privileges or as setuid-root in order to access hardware, this bug
    may lead to an unprivileged user acquiring root privileges in some systems.

    Affected Versions
    =================

    This bug appears to have been introduced in the initial RCS version 1.1
    checked in on 1991/05/10, and is thus believed to be present in every X11
    release starting with X11R5 up to the current libXfont 1.4.6.
    (Manual inspection shows it is present in the sources from the X11R5
    tarballs, but not in those from the X11R4 tarballs.)

    Fixes
    =====

    A fix is available via the attached patch, which is also included in
    libXfont 1.4.7, released today, and available in the libXfont git repo:
    http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=4d024ac10f964f6bd372ae0dd14f02772a6e5f63

    Thanks
    ======

    X.Org thanks the authors of the cppcheck tool for making their static
    analyzer available as an open source project we can all benefit from.
    http://cppcheck.sourceforge.net/

    --
    -Alan Coopersmith- alan.coopersmith at oracle.com
    X.Org Security Response Team - xorg-security at lists.x.org
    next part
    From 4d024ac10f964f6bd372ae0dd14f02772a6e5f63 Mon Sep 17 00:00:00 2001
    From: Alan Coopersmith <alan.coopersmith at oracle.com>
    Date: Mon, 23 Dec 2013 18:34:02 -0800
    Subject: [PATCH:libXfont] CVE-2013-6462: unlimited sscanf overflows stack
    buffer in bdfReadCharacters()

    Fixes cppcheck warning:
    [lib/libXfont/src/bitmap/bdfread.c:341]: (warning)
    scanf without field width limits can crash with huge input data. 
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu at apple.com>
---
 src/bitmap/bdfread.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
index e2770dc..e11c5d2 100644
--- a/src/bitmap/bdfread.c
+++ b/src/bitmap/bdfread.c
@@ -338,7 +338,7 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
 	char        charName[100];
 	int         ignore;
 
-	if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) {
+	if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) {
 	    bdfError("bad character name in BDF file\n");
 	    goto BAILOUT;	/* bottom of function, free and return error */
 	}
-- 
1.7.9.2

    Source: http://lists.x.org/archives/xorg-announce/2014-January/002389.html

    This is fairly brutal, given how infrequent embedded devices update X.org.


Advertisement