Bug#232378: marked as done (xfree86: XFree86 local expoitable buffer overflow (SECURITY))
Your message dated Thu, 19 Feb 2004 21:07:51 -0500
with message-id <20040220020751.GF27310@deadbeast.net>
and subject line Bug#232378: xfree86: XFree86 local expoitable buffer overflow (SECURITY)
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 12 Feb 2004 11:39:43 +0000
>From tburnus@physik.fu-berlin.de Thu Feb 12 03:39:43 2004
Return-path: <tburnus@physik.fu-berlin.de>
Received: from down.physik.fu-berlin.de [160.45.34.6]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1ArFC3-0006b6-00; Thu, 12 Feb 2004 03:39:43 -0800
Received: from g35.physik.fu-berlin.de (g35.physik.fu-berlin.de [160.45.34.135])
by down.physik.fu-berlin.de (8.11.1/8.9.1) with ESMTP id i1CBdeo1235806;
Thu, 12 Feb 2004 12:39:40 +0100 (CET)
X-Envelope-From: tburnus@physik.fu-berlin.de
X-ZEDV-BeenThere: nukleon
Received: from tburnus by g35.physik.fu-berlin.de with local (Exim 3.36 #1 (Debian))
id 1ArFC2-0005aA-00; Thu, 12 Feb 2004 12:39:42 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Tobias Burnus <tobias.burnus@physik.fu-berlin.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: xfree86: XFree86 local expoitable buffer overflow (SECURITY)
X-Mailer: reportbug 2.39
Date: Thu, 12 Feb 2004 12:39:42 +0100
Message-Id: <[🔎] E1ArFC2-0005aA-00@g35.physik.fu-berlin.de>
Sender: Tobias Burnus <tburnus@physik.fu-berlin.de>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_02_10
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.0 required=4.0 tests=HAS_PACKAGE autolearn=no
version=2.60-bugs.debian.org_2004_02_10
X-Spam-Level:
Package: xfree86
Severity: serious
See
http://www.idefense.com/application/poi/display?id=72&type=vulnerabilities&flashstatus=false
and existing exploit in
http://www.securityfocus.com/archive/1/353493/2004-02-09/2004-02-15/0
the patch is available from
ftp://ftp.xfree86.org/pub/XFree86/4.3.0/fixes/fontfile.diff
Affected is both Woody and Sarge/Unstable.
Description:
Exploitation of a buffer overflow in The XFree86 Project Inc.'s XFree86
X Window System allows local attackers to gain root privileges.
The problem specifically exists in the parsing of the 'font.alias' file.
The X server (running as root) fails to check the length of user
provided input. A malicious user may craft a malformed 'font.alias'
file causing a buffer overflow upon parsing, eventually leading to the
execution of arbitrary code.
Successful exploitation requires that an attacker be able to execute
commands in the X11 subsystem. This can be done either by having console
access to the target or through a remote exploit against any X client
program such as a web-browser, mail-reader or game. Successful
exploitation yields root access.
-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux g35 2.4.24-nfsacl-libata-drbd-up #1 Mon Jan 5 22:37:02 CET 2004 i686
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8
---------------------------------------
Received: (at 232378-done) by bugs.debian.org; 20 Feb 2004 02:07:52 +0000
>From branden@deadbeast.net Thu Feb 19 18:07:52 2004
Return-path: <branden@deadbeast.net>
Received: from dhcp065-026-182-085.indy.rr.com (redwald.deadbeast.net) [65.26.182.85]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Au052-0006lM-00; Thu, 19 Feb 2004 18:07:52 -0800
Received: by redwald.deadbeast.net (Postfix, from userid 1000)
id 3536B640CA; Thu, 19 Feb 2004 21:07:51 -0500 (EST)
Date: Thu, 19 Feb 2004 21:07:51 -0500
From: Branden Robinson <branden@debian.org>
To: 232378-done@bugs.debian.org
Subject: Re: Bug#232378: xfree86: XFree86 local expoitable buffer overflow (SECURITY)
Message-ID: <20040220020751.GF27310@deadbeast.net>
References: <[🔎] E1ArFC2-0005aA-00@g35.physik.fu-berlin.de>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="/aVve/J9H4Wl5yVO"
Content-Disposition: inline
In-Reply-To: <[🔎] E1ArFC2-0005aA-00@g35.physik.fu-berlin.de>
Mail-Copies-To: nobody
X-No-CC: I subscribe to this list; do not CC me on replies.
User-Agent: Mutt/1.5.5.1+cvs20040105i
Delivered-To: 232378-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_02_18
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=HAS_BUG_NUMBER autolearn=no
version=2.60-bugs.debian.org_2004_02_18
X-Spam-Level:
--/aVve/J9H4Wl5yVO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Feb 12, 2004 at 12:39:42PM +0100, Tobias Burnus wrote:
> Package: xfree86
> Severity: serious
>=20
> See
> http://www.idefense.com/application/poi/display?id=3D72&type=3Dvulnerabil=
ities&flashstatus=3Dfalse
> and existing exploit in
> http://www.securityfocus.com/archive/1/353493/2004-02-09/2004-02-15/0
>=20
> the patch is available from
> ftp://ftp.xfree86.org/pub/XFree86/4.3.0/fixes/fontfile.diff
>=20
> Affected is both Woody and Sarge/Unstable.
>=20
> Description:
> Exploitation of a buffer overflow in The XFree86 Project Inc.'s XFree86
> X Window System allows local attackers to gain root privileges.
>=20
> The problem specifically exists in the parsing of the 'font.alias' file.
> The X server (running as root) fails to check the length of user
> provided input. A malicious user may craft a malformed 'font.alias'
> file causing a buffer overflow upon parsing, eventually leading to the
> execution of arbitrary code.
>=20
> Successful exploitation requires that an attacker be able to execute
> commands in the X11 subsystem. This can be done either by having console
> access to the target or through a remote exploit against any X client
> program such as a web-browser, mail-reader or game. Successful
> exploitation yields root access.
This was fixed in 4.3.0-2, which was accepted into Debian unstable on 18
February.
xfree86 (4.3.0-1) experimental; urgency=3Dlow
* Grab fixes to upstream CVS xf-4_3-branch since last pull.
[...]
+ (xc/lib/font/fontfile/dirfile.c):
Fix font alias overrun. [SECURITY FIX] (CAN-2004-0083)
[...]
+ (xc/lib/font/fontfile/dirfile.c,
xc/lib/font/fontfile/encparse.c,
xc/lib/font/fontfile/fontfile.c):
1013. Some more font path checks.
[...]
-- Branden Robinson <branden@debian.org> Tue, 17 Feb 2004 12:58:28 -0500
XFree86 4.1.0-16woody3, which fixes these issues for Debian 3.0
("woody") has been in the hands of the security team for several days,
and will be released when the build infrastructure finishes compiling it
for all of the architectures supported in woody.
Thank you again for your report.
Closing.
--=20
G. Branden Robinson | Somebody once asked me if I thought
Debian GNU/Linux | sex was dirty. I said, "It is if
branden@debian.org | you're doing it right."
http://people.debian.org/~branden/ | -- Woody Allen
--/aVve/J9H4Wl5yVO
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iEYEARECAAYFAkA1a/YACgkQ6kxmHytGonwNtACgq45w4i17sREhBOtZA35e/T1e
NjEAn0ZRmETTiIwweeuzeI5t6SesBR+N
=XO+C
-----END PGP SIGNATURE-----
--/aVve/J9H4Wl5yVO--
Reply to: