linux, säkerhet

10612745 2003-08-30 02:25 -0700 /80 rader/ <blexim@hush.com>
Importerad: 2003-08-31 04:49 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <28756>
Ärende: Multiple integer overflows in XFree86 (local/remote)
------------------------------------------------------------
From: <blexim@hush.com>
To: bugtraq@securityfocus.com
Cc: 
Message-ID: <200308300925.h7U9PuGc098250@mailserver1.hushmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Remote and local vulnerabilities in XFree86 font libraries

Product:         XFree86 (4.3.0)
Impact:          Potential privilege escalation / remote code execution
Bug class:       Integer overflow
Vendor notified: Yes
Fix available:   Yes (see end of advisory)

Details: I have identified several bugs in the font libraries of the
current version (4.3.0) of the XFree86 font libraries. These bugs
could potentially lead to the execution of arbitrary code by a remote
user in any process which calls the functions in question. The
functions are related to the transfer and enumeration of fonts from
font servers to clients, limiting the range of the exposure caused by
these bugs.


Specifically, several variables passed from a font server to a client
are not adequately checked, allowing integer overflows to cause
erroneous sizes of buffers to be calculated.  These erroneous
calculations can lead to buffers on the heap and stack overflowing,
potentially leading to arbitrary code execution. As stated before,
the risk is limited by the fact that only clients can be affected
remotely by these bugs, but in some (non default) configurations,
both xfs and XServer can act as clients to remote font servers.  In
these configurations, both xfs and XServer could be potentially
compromised remotely.  Also, it is possible for a local unprivileged
user to alter


the configuration of Xserver in such a manner as to force it to load
a font from an arbitrary font server.  Since Xserver is setuid root by
default, a local user may potentially gain root privileges.


Workaround:
To prevent the local privilege escalation, remove the suid bit from the
Xserver binary:
        chmod u-s XFree86

Ensure xfs and Xserver do not include untrusted font servers in their
font
search paths.

Fix:
The current CVS version of XFree86 has been updated to correct these
issues.

Discovered by:
blexim@hush.com of isen
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAj9IinUACgkQsE7ilXLZoGZziQCgv3YM2FxUt9zVUFPKqpvdoPWON2kA
oLC5uhB0+QXxnjikMqt/3P0S462G
=MlA3
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427
(10612745) /<blexim@hush.com>/------------(Ombruten)