-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2014-001 ================================= Topic: Stack buffer overflow in libXfont Version: NetBSD-current: source prior to Tue 7th, 2014 NetBSD 6.1: affected NetBSD 6.0 - 6.0.2: affected NetBSD 5.1 - 5.1.2: affected NetBSD 5.2: affected Severity: privilege escalation Fixed: NetBSD-current: Tue 7th, 2014 NetBSD-6-0 branch: Tue 7th, 2014 NetBSD-6-1 branch: Tue 7th, 2014 NetBSD-6 branch: Tue 7th, 2014 NetBSD-5-2 branch: Tue 7th, 2014 NetBSD-5-1 branch: Tue 7th, 2014 NetBSD-5 branch: Tue 7th, 2014 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== A stack buffer overflow in parsing of BDF font files in libXfont was found that can easily be used to crash X programs using libXfont, and likely could be exploited to run code with the privileges of the X program (most nostably, the X server, commonly running as root). This vulnerability has been assigned CVE-2013-6462 Technical Details ================= - From the X.org advisory: Scanning of the libXfont sources with the cppcheck static analyzer included a report of: [lib/libXfont/src/bitmap/bdfread.c:341]: (warning) scanf without field width limits can crash with huge input data. Evaluation of this report by X.Org developers concluded that a BDF font file containing a longer than expected string could overflow the buffer on the stack. Testing in X servers built with Stack Protector resulted in an immediate crash when reading a user-provided specially crafted font. As libXfont is used to read user-specified font files in all X servers distributed by X.Org, including the Xorg server which is often run with root privileges or as setuid-root in order to access hardware, this bug may lead to an unprivileged user acquiring root privileges in some systems. This bug appears to have been introduced in the initial RCS version 1.1 checked in on 1991/05/10, and is thus believed to be present in every X11 release starting with X11R5 up to the current libXfont 1.4.6. (Manual inspection shows it is present in the sources from the X11R5 tarballs, but not in those from the X11R4 tarballs.) Solutions and Workarounds ========================= Workaround: restrict access to the X server. Solutions: a fix is included in the following versions: xorg: xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c HEAD 1.3 netbsd-6 1.1.1.2.2.1 netbsd-6-1 1.1.1.2.6.1 netbsd-6-0 1.1.1.2.4.1 netbsd-5 1.1.1.1.2.2 netbsd-5-2 1.1.1.1.2.1.4.1 netbsd-5-1 1.1.1.1.2.1.2.1 xfree: xsrc/xfree/xc/lib/font/bitmap/bdfread.c HEAD 1.4 netbsd-6 1.2.8.1 netbsd-6-1 1.2.14.1 netbsd-6-0 1.2.10.1 netbsd-5 1.2.2.1 netbsd-5-2 1.2.12.1 netbsd-5-1 1.2.6.1 To obtain fixed binaries, fetch the appropriate xbase.tgz from a daily build later than the fix dates, i.e. http://nyftp.netbsd.org/pub/NetBSD-daily////binary/sets/xbase.tgz with a date 20140108* or larger, and your release version and architecture, and then extract the libXfont shared library files: for X.org environments, netbsd-6* and HEAD: cd / && tar xzpf /path/to/xbase.tgz ./usr/X11R7/lib/libXfont.so \ ./usr/X11R7/lib/libXfont.so.3 \ ./usr/X11R7/lib/libXfont.so.3.0 for X.org environments and netbsd-5*: cd / && tar xzpf /path/to/xbase.tgz ./usr/X11R7/lib/libXfont.so \ ./usr/X11R7/lib/libXfont.so.2 \ ./usr/X11R7/lib/libXfont.so.2.0 and for xfree environments: cd / && tar xzpf /path/to/xbase.tgz ./usr/X11R6/lib/libXfont.so \ ./usr/X11R6/lib/libXfont.so.1 \ ./usr/X11R6/lib/libXfont.so.1.5 To build from source, update bdfread.c to the appropriate version and then "./build.sh -x" from the top of the src tree. Thanks To ========= X.Org thanks the authors of the cppcheck tool for making their static analyzer available as an open source project we can all benefit from. http://cppcheck.sourceforge.net/ NetBSD would like to thank X.org for looking for and fixing this vulnerability. Revision History ================ 2014-01-07 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-001.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2014, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2014-001.txt,v 1.2 2014/01/07 21:04:33 tonnerre Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (NetBSD) iQIcBAEBAgAGBQJSzGwWAAoJEAZJc6xMSnBuGpoP/12ryE0zIMg5/f2F1f7g9Aul 3gHJAo8kY9zseDRKBQ/VE4YfaEYoDjZFeOPJby0d6zanIp8kkVdQyGEVgCBzVduO zF6Ss9k0aqhttp4KoBgXkfPZitPo2WWcyedJKztrTCMyLhs3ET8ApQRoGoyg+Lcn jddEmS7gWo7pRJwT2A7Yc3GAPkBoWJ+QnnaoynOVntmSKtbmx2kFSKDgDpst7sIN u0dRGd+qN7XcUjncd6vrfipnG1ZaJrbAZxrlQOHuSBbF/PNh8SDyveoUhnUgxGiE FUKeE9duMj2Q1oe8Q6xIR2c1mmj+sbPlHZrFmGNaUh/PJEVo6jz//BzW5ow+xiZS Zny5eaDKVFeJROtP+JzCe047yC/2g1kVBbudqIwabaeqt85I8kL/XDMk9Rg0PqQB QqiwQgnP2fSUaTFrZEgIK2lB/OoSZgqaRjrGJuxjru7fJXaHJ+q9aATGFpdfcunC HDwoZZ97WjD9QGz78coI1dJCrzozeWWCm4DrRzOgCD4vfKCHWQTiylz04/V/McZv eFzC7hNAU47UyRmRNzwKkL1ejmIEn3ZQRZJ3f80AZ4nKEIFM50alCg2s4SRMzz6s MFyghD6v3HZ4ungc1Y39WlXa25ZDuVola7lfiDVqE/5KiXqMHz858hFG2HhYamHn oWVaKjZ2wi7m5Zj1ZHkf =wseV -----END PGP SIGNATURE-----