X Strike Force XFree86 SVN commit: r1028 - in branches/4.1.0/woody/debian: . patches
Author: branden
Date: 2004-02-15 14:47:19 -0500 (Sun, 15 Feb 2004)
New Revision: 1028
Added:
branches/4.1.0/woody/debian/patches/075_SECURITY_libfontfile_vulnerabilities.diff
Modified:
branches/4.1.0/woody/debian/changelog
Log:
Fix multiple buffer overflows and insufficiently rigorous input validation
in the X11R6 fontfile library. (Closes: #232378)
Modified: branches/4.1.0/woody/debian/changelog
===================================================================
--- branches/4.1.0/woody/debian/changelog 2004-02-13 19:36:19 UTC (rev 1027)
+++ branches/4.1.0/woody/debian/changelog 2004-02-15 19:47:19 UTC (rev 1028)
@@ -1,3 +1,24 @@
+xfree86 (4.1.0-16woody3) stable-security; urgency=high
+
+ * Security update release. Resolves the following issues:
+ + CAN-2004-0083: Buffer overflow in ReadFontAlias from dirfile.c of
+ XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to
+ execute arbitrary code via a font alias file (font.alias) with a long
+ token, a different vulnerability than CAN-2004-0084.
+ + CAN-2004-0084: Buffer overflow in the ReadFontAlias function in XFree86
+ 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows
+ local or remote authenticated users to execute arbitrary code via a
+ malformed entry in the font alias (font.alias) file, a different
+ vulnerability than CAN-2004-0083.
+ + CAN-2004-0106: Miscellaneous additional flaws in XFree86's handling of
+ font files.
+
+ * Fix multiple buffer overflows and insufficiently rigorous input validation
+ in the X11R6 fontfile library. (Closes: #232378)
+ - debian/patches/075_SECURITY_libfontfile_vulnerabilities.diff
+
+ -- Branden Robinson <branden@debian.org> Sat, 14 Feb 2004 13:44:41 -0500
+
xfree86 (4.1.0-16woody2) stable-security; urgency=high
* Security update release. Resolves the following issues:
Added: branches/4.1.0/woody/debian/patches/075_SECURITY_libfontfile_vulnerabilities.diff
===================================================================
--- branches/4.1.0/woody/debian/patches/075_SECURITY_libfontfile_vulnerabilities.diff 2004-02-13 19:36:19 UTC (rev 1027)
+++ branches/4.1.0/woody/debian/patches/075_SECURITY_libfontfile_vulnerabilities.diff 2004-02-15 19:47:19 UTC (rev 1028)
@@ -0,0 +1,237 @@
+$Id$
+
+xc/lib/font/fontfile/dirfile.c @ 3.11.2.1
+ 658. Fix font alias overrun.
+
+xc/lib/font/fontfile/dirfile.c @ 3.11.2.2
+xc/lib/font/fontfile/encparse.c @ 1.14.4.1
+xc/lib/font/fontfile/fontfile.c @ 3.14.2.1
+ 659. Some more font path checks.
+
+The CVE IDs for these vulnerabilities are CAN-2004-0083, CAN-2004-0084, and
+CAN-2004-0106.
+
+CAN-2004-0083: Buffer overflow in ReadFontAlias from dirfile.c of XFree86
+4.1.0 through 4.3.0 allows local users and remote attackers to execute
+arbitrary code via a font alias file (font.alias) with a long token, a
+different vulnerability than CAN-2004-0084.
+
+CAN-2004-0084: Buffer overflow in the ReadFontAlias function in XFree86
+4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local
+or remote authenticated users to execute arbitrary code via a malformed
+entry in the font alias (font.alias) file, a different vulnerability than
+CAN-2004-0083.
+
+CAN-2004-0106: Miscellaneous additional flaws in XFree86's handling of font
+files.
+
+--- xc/lib/font/fontfile/dirfile.c 2001/01/17 19:43:30 3.11
++++ xc/lib/font/fontfile/dirfile.c 2004/02/12 03:33:02 3.11.2.2
+@@ -21,7 +21,7 @@
+ in this Software without prior written authorization from The Open Group.
+
+ */
+-/* $XFree86: xc/lib/font/fontfile/dirfile.c,v 3.10 1999/09/04 09:14:11 dawes Exp $ */
++/* $XFree86: xc/lib/font/fontfile/dirfile.c,v 3.11.2.1 2004/02/08 22:30:49 dawes Exp $ */
+
+ /*
+ * Author: Keith Packard, MIT X Consortium
+@@ -67,6 +67,9 @@
+
+ FontDirectoryPtr dir = NullFontDirectory;
+
++ if (strlen(directory) + 1 + sizeof(FontDirFile) > sizeof(dir_file))
++ return BadFontPath;
++
+ #ifdef FONTDIRATTRIB
+ /* Check for font directory attributes */
+ #ifndef __EMX__
+@@ -153,6 +156,9 @@
+ char dir_file[MAXFONTFILENAMELEN];
+ struct stat statb;
+
++ if (strlen(dir->directory) + sizeof(FontDirFile) > sizeof(dir_file))
++ return FALSE;
++
+ strcpy (dir_file, dir->directory);
+ strcat (dir_file, FontDirFile);
+ if (stat (dir_file, &statb) == -1)
+@@ -201,6 +207,8 @@
+ continue;
+
+ len = strlen (fileName) - renderer->fileSuffixLen;
++ if (len >= sizeof(copy))
++ continue;
+ CopyISOLatin1Lowered (copy, fileName, len);
+ copy[len] = '\0';
+ name.name = copy;
+@@ -250,9 +258,13 @@
+ int status = Successful;
+ struct stat statb;
+
++ if (strlen(directory) >= sizeof(alias_file))
++ return BadFontPath;
+ dir = *pdir;
+ strcpy(alias_file, directory);
+ if (!isFile) {
++ if (strlen(directory) + 1 + sizeof(FontAliasFile) > sizeof(alias_file))
++ return BadFontPath;
+ if (directory[strlen(directory) - 1] != '/')
+ strcat(alias_file, "/");
+ strcat(alias_file, FontAliasFile);
+@@ -285,6 +297,10 @@
+ status = AllocError;
+ break;
+ case NAME:
++ if (strlen(lexToken) >= sizeof(alias)) {
++ status = BadFontPath;
++ break;
++ }
+ strcpy(alias, lexToken);
+ token = lexAlias(file, &lexToken);
+ switch (token) {
+@@ -301,6 +317,10 @@
+ status = AllocError;
+ break;
+ case NAME:
++ if (strlen(lexToken) >= sizeof(font_name)) {
++ status = BadFontPath;
++ break;
++ }
+ CopyISOLatin1Lowered(alias, alias, strlen(alias));
+ CopyISOLatin1Lowered(font_name, lexToken, strlen(lexToken));
+ if (!FontFileAddFontAlias (dir, alias, font_name))
+--- xc/lib/font/fontfile/encparse.c 2000/11/14 16:54:45 1.14
++++ xc/lib/font/fontfile/encparse.c 2004/02/12 03:33:02 1.14.4.1
+@@ -20,7 +20,7 @@
+ THE SOFTWARE.
+ */
+
+-/* $XFree86: xc/lib/font/fontfile/encparse.c,v 1.13 2000/09/19 12:46:08 eich Exp $ */
++/* $XFree86: xc/lib/font/fontfile/encparse.c,v 1.14 2000/11/14 16:54:45 dawes Exp $ */
+
+ /* Parser for encoding files */
+
+@@ -752,6 +752,7 @@
+ file_name[MAXFONTFILENAMELEN], encoding_name[MAXFONTNAMELEN],
+ *q, *lastslash;
+ int count, n;
++ static char format[24] = "";
+
+ for(p=fontFileName, q=dir, lastslash=NULL; *p; p++, q++) {
+ *q=*p;
+@@ -767,8 +768,10 @@
+ /* As we don't really expect to open encodings that often, we don't
+ * take the trouble of caching encodings directories. */
+
+- strcpy(buf, dir);
+- strcat(buf, "encodings.dir");
++ if (buf && strlen(dir) + 14 < MAXFONTFILENAMELEN) {
++ strcpy(buf, dir);
++ strcat(buf, "encodings.dir");
++ }
+
+ if((file=fopen(buf, "r"))==NULL) {
+ return NULL;
+@@ -781,8 +784,12 @@
+ }
+
+ encoding=NULL;
++ if (!format[0]) {
++ sprintf(format, "%%%ds %%%d[^\n]\n", sizeof(encoding_name) - 1,
++ sizeof(file_name) - 1);
++ }
+ for(;;) {
+- if((count=fscanf(file, "%s %[^\n]\n", encoding_name, file_name))==EOF)
++ if((count=fscanf(file, format, encoding_name, file_name))==EOF)
+ break;
+ if(count!=2)
+ break;
+--- xc/lib/font/fontfile/fontfile.c 2001/01/17 19:43:30 3.14
++++ xc/lib/font/fontfile/fontfile.c 2004/02/12 03:33:02 3.14.2.1
+@@ -21,7 +21,7 @@
+ in this Software without prior written authorization from The Open Group.
+
+ */
+-/* $XFree86: xc/lib/font/fontfile/fontfile.c,v 3.13 1999/08/21 13:48:03 dawes Exp $ */
++/* $XFree86: xc/lib/font/fontfile/fontfile.c,v 3.14 2001/01/17 19:43:30 dawes Exp $ */
+
+ /*
+ * Author: Keith Packard, MIT X Consortium
+@@ -420,11 +420,16 @@
+ vals.ranges = ranges;
+ vals.nranges = nranges;
+
+- strcpy (fileName, dir->directory);
+- strcat (fileName, scalable->fileName);
+- ret = (*scalable->renderer->OpenScalable) (fpe, pFont,
++ if (strlen(dir->directory) + strlen(scalable->fileName) >=
++ sizeof(fileName)) {
++ ret = BadFontName;
++ } else {
++ strcpy (fileName, dir->directory);
++ strcat (fileName, scalable->fileName);
++ ret = (*scalable->renderer->OpenScalable) (fpe, pFont,
+ flags, entry, fileName, &vals, format, fmask,
+ non_cachable_font);
++ }
+
+ /* In case rasterizer does something bad because of
+ charset subsetting... */
+@@ -493,6 +498,8 @@
+
+ dir = (FontDirectoryPtr) fpe->private;
+ bitmap = &entry->u.bitmap;
++ if (strlen(dir->directory) + strlen(bitmap->fileName) >= sizeof(fileName))
++ return BadFontName;
+ strcpy (fileName, dir->directory);
+ strcat (fileName, bitmap->fileName);
+ ret = (*bitmap->renderer->OpenBitmap)
+@@ -526,6 +533,8 @@
+
+ dir = (FontDirectoryPtr) fpe->private;
+ bitmap = &entry->u.bitmap;
++ if (strlen(dir->directory) + strlen(bitmap->fileName) >= sizeof(fileName))
++ return BadFontName;
+ strcpy (fileName, dir->directory);
+ strcat (fileName, bitmap->fileName);
+ ret = (*bitmap->renderer->GetInfoBitmap) (fpe, pFontInfo, entry, fileName);
+@@ -887,10 +896,15 @@
+ vals.ranges = FontParseRanges(origName, &vals.nranges);
+ ranges = vals.ranges;
+ /* Make a new scaled instance */
+- strcpy (fileName, dir->directory);
+- strcat (fileName, scalable->fileName);
+- ret = (*scalable->renderer->GetInfoScalable)
+- (fpe, *pFontInfo, entry, &tmpName, fileName, &vals);
++ if (strlen(dir->directory) + strlen(scalable->fileName) >=
++ sizeof(fileName)) {
++ ret = BadFontName;
++ } else {
++ strcpy (fileName, dir->directory);
++ strcat (fileName, scalable->fileName);
++ ret = (*scalable->renderer->GetInfoScalable)
++ (fpe, *pFontInfo, entry, &tmpName, fileName, &vals);
++ }
+ if (ranges) xfree(ranges);
+ }
+ }
+@@ -927,10 +941,15 @@
+ bc = &entry->u.bc;
+ entry = bc->entry;
+ /* Make a new scaled instance */
+- strcpy (fileName, dir->directory);
+- strcat (fileName, scalable->fileName);
+- ret = (*scalable->renderer->GetInfoScalable)
++ if (strlen(dir->directory) + strlen(scalable->fileName) >=
++ sizeof(fileName)) {
++ ret = BadFontName;
++ } else {
++ strcpy (fileName, dir->directory);
++ strcat (fileName, scalable->fileName);
++ ret = (*scalable->renderer->GetInfoScalable)
+ (fpe, *pFontInfo, entry, tmpName, fileName, &bc->vals);
++ }
+ break;
+ #endif
+ default:
Property changes on: branches/4.1.0/woody/debian/patches/075_SECURITY_libfontfile_vulnerabilities.diff
___________________________________________________________________
Name: svn:keywords
+ Id
Reply to: