NetBSD Security Advisory 2016-002: BDF file parsing issues in libXfont
16 April, 2016 by security-officer@netbsd.org | netbsd
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2016-002 ================================= Topic: BDF file parsing issues in libXfont Version: NetBSD-current: affected prior to 20150319 NetBSD 6.1 - 6.1.5: affected NetBSD 6.0 - 6.0.6: affected NetBSD 5.1 - 5.1.4: affected NetBSD 5.2 - 5.2.2: affected pkgsrc: affected Severity: remote DoS, potential local privilege escalation Fixed: NetBSD-current: March 18th, 2015 NetBSD-6 branch: March 18th, 2015 NetBSD-6-1 branch: March 18th, 2015 NetBSD-6-0 branch: March 18th, 2015 NetBSD-5 branch: March 18th, 2015 NetBSD-5-2 branch: March 18th, 2015 NetBSD-5-1 branch: March 18th, 2015 pkgsrc: libXfont-1.5.1 corrects this issue Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== Ilja van Sprundel, a security researcher with IOActive, has discovered an issue in the parsing of BDF font files by libXfont. Additional testing by Alan Coopersmith and William Robinet with the American Fuzzy Lop (afl) tool uncovered two more issues in the parsing of BDF font files. As libXfont is used by the X server to read font files, and an unprivileged user with access to the X server can tell the X server to read a given font file from a path of their choosing, these vulnerabilities have the potential to allow unprivileged users to run code with the privileges of the X server (often root access). These vulnerabilities have been assigned CVE-2015-1802, CVE-2015-1803, and CVE-2015-1804. Technical Details ================= CVE-2015-1802: bdfReadProperties: property count needs range check The bdf parser reads a count for the number of properties defined in a font from the font file, and allocates arrays with entries for each property based on that count. It never checked to see if that count was negative, or large enough to overflow when multiplied by the size of the structures being allocated, and could thus allocate the wrong buffer size, leading to out of bounds writes. CVE-2015-1803: bdfReadCharacters: bailout if a char's bitmap cannot be read If the bdf parser failed to parse the data for the bitmap for any character, it would proceed with an invalid pointer to the bitmap data and later crash when trying to read the bitmap from that pointer. CVE-2015-1804: bdfReadCharacters: ensure metrics fit into xCharInfo struct The bdf parser read metrics values as 32-bit integers, but stored them into 16-bit integers. Overflows could occur in various operations leading to out-of-bounds memory access. X.Org believes all prior versions of this library contain these flaws, dating back to its introduction in X11R5. Solutions and Workarounds ========================= Workaround: don't allow clients that might open unvetted fonts on your X server. Note this includes web browsers. Solution: replace a vulnerable libXfont with a fixed version. Binary fixes: download http://nyftp.NetBSD.org/pub/NetBSD-daily/REL/DATE/ARCH/binary/sets/xbase.tgz with REL being your NetBSD release version DATE being a date past the fix date for your release ARCH being the architecture of the system to be fixed libXfont paths will differ by version and architecture, depending on whether your architecture uses /usr/X11R6 or /usr/X11R7: X11R6: ./usr/X11R6/lib/libXfont.so ./usr/X11R6/lib/libXfont.so.1 ./usr/X11R6/lib/libXfont.so.1.5 X11R7: all versions ./usr/X11R7/lib/libXfont.so netbsd-5* ./usr/X11R7/lib/libXfont.so.2 ./usr/X11R7/lib/libXfont.so.2.0 netbsd-6-0+ ./usr/X11R7/lib/libXfont.so.3 ./usr/X11R7/lib/libXfont.so.3.0 so e.g. for a NetBSD 6.0 or younger amd64 system you'd do: cd / && tar xzpf path-to/xbase.tgz ./usr/X11R7/lib/libXfont.so \ ./usr/X11R7/lib/libXfont.so.3 \ ./usr/X11R7/lib/libXfont.so.3.0 - From source: affected files and fixed versions are: X11R7: xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c netbsd-5-1 1.1.1.1.2.1.2.2 netbsd-5-2 1.1.1.1.2.1.4.2 netbsd-5 1.1.1.1.2.3 netbsd-6-1 1.1.1.2.6.2 netbsd-6-0 1.1.1.2.4.2 netbsd-6 1.1.1.2.2.2 netbsd-7 1.3.4.1 HEAD 1.4 X11R6: xsrc/xfree/xc/lib/font/bitmap/bdfread.c netbsd-5-1 1.2.6.2 netbsd-5-2 1.2.12.2 netbsd-5 1.2.2.2 netbsd-6-0 1.2.10.2 netbsd-6-1 1.2.14.2 netbsd-6 1.2.8.2 netbsd-7 1.4.4.1 HEAD 1.5 use build.sh -x distribution to build a new system including X after updating your source. Thanks To ========= Thanks to Ilja van Sprundel, Alan Coopersmith and William Robinet and the text of X.Org advisory 2015-03-17 http://www.x.org/wiki/Development/Security/Advisory-2015-03-17/ Revision History ================ 2016-04-16 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2015-NNN.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2015, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2016-002.txt,v 1.1 2016/04/16 15:18:30 christos Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJXElf/AAoJEAZJc6xMSnBuOOYP/1q6ki3lIYr/aFHtvVZ0eYXz IpMvB46B/EtNUGE+jevLh07gBIYf/tbpuBMv6lxH1XvhIUgWFoCDHUARhNC2QyKo 2N1yFrFKMDfkzyhZmH+MBDjbI2FTiwOApZCoyDXBJ8Cerz0jwJBq5u6uoi1GY3e+ nxU/6jjBO1ndElgOGFcVzHaX6BwhsLn0O7eoPmE/nAnqZtOX7b2upmnP4nxvQkPi zwUzI4FOZPIS5erkdV+6rQr0yP42aSOLOo0UVxBjnnZP03FkJvshC8YXjwFfvxsl 6zIbZ6oKzk25CEZG+c2zKJ2kWrpTavH770bm938jUsktdILoLo9S5KMVYO1sO/Da O/DzHl/8QYXg0vgKxXwgmx2cFXi89SLcvJnT0mFJVaA0FR6Lbqx3QxqwtZFvOmVg GvSEBpNgsCbtUxurrnCEz0Zp6gCbCraSBl8CLrutS5lNI6GBCjP+9RrVYyKHQ9at 3Lcm+4rZ3JerqoEWC3jlH369aEFF5jvFw4uDROuWo+vWi/fWkzM0JXFEejo66Q/b llP7JIAcyZ4dywGvR7z4IP7KrKOpMmcyQ+U+xvCdflpIw/6KiY6urAKea8FTo5Es IvK1mLCHPuORzDUsUsNmxNv7M2uqzw4fXhIO2pvU/4bztIuoLVT5BSRbWzT7p18d KDho1mAZzVpQXpvPE5Un =H3Tk -----END PGP SIGNATURE-----