NetBSD: XFree86 font buffer overflow vulnerabilities
Posted by LinuxSecurity.com Team   
NetBSD There is an integer overflow in the XFree86 font libraries, which could lead topotential privilege escalation and/or remote code execution.

		 NetBSD Security Advisory 2003-015
		 =================================

Topic:		Remote and local vulnerabilities in XFree86 font libraries

Version:	NetBSD-current:	source prior to August 31, 2003
		NetBSD 1.6.1:	affected
		NetBSD 1.6:	affected
		NetBSD-1.5.3:	affected
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected

Severity:	High, for systems running an X server.

Fixed:		NetBSD-current:		August 31, 2003
		(xsrc is not branched by NetBSD release)


Abstract
========

There is an integer overflow in the XFree86 font libraries, which could lead to
potential privilege escalation and/or remote code execution.


Technical Details
=================
 
http://www.securityfocus.com/archive/1/335592

As seen in this advisory, the exact details of these issues have not been
shared.


Solutions and Workarounds
=========================

Workaround (proposed in the XFree86 advisory):

Ensure that neither xfs nor the X server include untrusted font servers in
their font search paths.  Xfs is not started by default in NetBSD and the
X server contains only directories under /usr/X11R6/lib/X11/fonts in its
font path.

To prevent the local privilege escalation problem, remove the suid bit from the
Xserver binary.  This will mean that only root can start the X server.

        chmod u-s /usr/X11R6/bin/XFree86

Please note that removing the suid bit will NOT prevent a compromise due to
malicious fonts.

Fix:

The following instructions describe how to upgrade your X
binaries by updating your source tree and rebuilding and
installing a new version of X.

* NetBSD (all versions):

	Systems running NetBSD with X dated from before 2003-08-30
	should be upgraded to NetBSD with X dated 2003-08-31 or later.

	Unlike the main NetBSD source tree (src), xsrc is not branched
	based on NetBSD versions.

	The following directories need to be updated from the netbsd CVS:
		xsrc/xc/lib/font/fc
		xsrc/xc/lib/FS
		xsrc/xfree/xc/lib/font/fc
		xsrc/xfree/xc/lib/FS


	To update from CVS, re-build, and re-install X:
		# cd xsrc
		# cvs update -d -P xc/lib/font/fc xc/lib/FS \
			xfree/xc/lib/font/fc xfree/xc/lib/FS

		# make build

(The 'build' target performs installation as well as compilation)


Thanks To
=========

Matthias Scheler


Revision History
================

	2003-10-09	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
   ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2003-015.txt.asc

Information about NetBSD and NetBSD security can be found at 
http://www.NetBSD.org/ and  http://www.NetBSD.org/Security/.


Copyright 2003, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2003-015.txt,v 1.4 2003/10/09 03:30:14 groo Exp $