Received: from acsinet21.oracle.com (/141.146.126.237)
	by default (Oracle Beehive Gateway v4.0)
	with ESMTP ; Tue, 13 May 2014 08:08:21 -0700
Received: from aserp1020.oracle.com (aserp1020.oracle.com [141.146.126.67])
	by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s4DF8Jkt007677
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Tue, 13 May 2014 15:08:20 GMT
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	by aserp1020.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s4DF8IfW024869;
	Tue, 13 May 2014 15:08:19 GMT
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 50E136EAFB;
	Tue, 13 May 2014 08:08:18 -0700 (PDT)
X-Original-To: xorg-announce@lists.x.org
Delivered-To: xorg-announce@lists.x.org
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69])
 by gabe.freedesktop.org (Postfix) with ESMTP id DAE2E6EAFB;
 Tue, 13 May 2014 08:08:16 -0700 (PDT)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93])
 by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id
 s4DF8EqX031552
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
 Tue, 13 May 2014 15:08:15 GMT
Received: from jurassic.us.oracle.com (jurassic.us.oracle.com [10.134.8.79])
 by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s4DF8D9f022393
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL);
 Tue, 13 May 2014 15:08:14 GMT
Received: from also.us.oracle.com (also.us.oracle.com [10.132.136.78])
 by jurassic.us.oracle.com (8.14.8+Sun/8.14.8) with ESMTP id s4DF8CPk311907
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
 Tue, 13 May 2014 08:08:13 -0700 (PDT)
Date: Tue, 13 May 2014 08:08:12 -0700
From: Alan Coopersmith <alan.coopersmith@oracle.com>
To: xorg-announce@lists.x.org
Subject: [ANNOUNCE] X.Org Security Advisory: Multiple issues in libXfont
Message-ID: <20140513150756.GA7356@also.us.oracle.com>
MIME-Version: 1.0
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: xorg@lists.x.org, xorg-devel@lists.x.org
X-BeenThere: xorg-announce@lists.x.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: xorg@lists.freedesktop.org
List-Id: "Announcements of X.Org tarball releases" <xorg-announce.lists.x.org>
List-Unsubscribe: <http://lists.x.org/mailman/options/xorg-announce>,
 <mailto:xorg-announce-request@lists.x.org?subject=unsubscribe>
List-Archive: <http://lists.x.org/archives/xorg-announce>
List-Post: <mailto:xorg-announce@lists.x.org>
List-Help: <mailto:xorg-announce-request@lists.x.org?subject=help>
List-Subscribe: <http://lists.x.org/mailman/listinfo/xorg-announce>,
 <mailto:xorg-announce-request@lists.x.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1412085593=="
Errors-To: xorg-announce-bounces@lists.x.org
Sender: "xorg-announce" <xorg-announce-bounces@lists.x.org>
X-Flow-Control-Info: class=Pass-to-MM reputation=ipRisk-All
	ip=131.252.210.177 ct-class=T1 ct-vol1=0 ct-vol2=6 ct-vol3=5
	ct-risk=12 ct-spam1=4 ct-spam2=1 ct-bulk=91 rcpts=3 size=6136
X-Source-IP: gabe.freedesktop.org [131.252.210.177]
X-Sendmail-CM-Score: 0.00%
X-Sendmail-CM-Analysis: v=2.1 cv=I/xcGrQg c=1 sm=1 tr=0 a=NZLgQZmgF9XIoAvTQ72Ilw==:117 a=NZLgQZmgF9XIoAvTQ72Ilw==:17 a=LcaDllckn3IA:10 a=B-R_2YsDm0UA:10 a=dPGociXpb70A:10 a=aR16PxjQAAAA:8 a=yPCof4ZbAAAA:8 a=e5mUnYsNAAAA:8 a=gFIlJGRdEt6I5sr_whYA:9 a=CjuIK1q_8ugA
	:10 a=TRaWWqdqQ4oA:10 a=CiSHi91Bn78A:10 a=7DSvI1NPTFQA:10 a=7EsjeXKoLUhUv9CZBgUA:9 a=uoVElF7W4dsSUiWyNwMA:9 a=0FdJ6t2Tbl0A:10 a=Gm3cFHxjVzcA:10
X-Sendmail-CT-RefID: str=0001.0A090204.53723563.0102:SCCMAW1173,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
X-Sendmail-CT-Classification: not spam


--===============1412085593==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="3OBcX0kPS7YKY6iD"
Content-Disposition: inline


--3OBcX0kPS7YKY6iD
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

X.Org Security Advisory:  May 13, 2014
X Font Service Protocol & Font metadata file handling issues in libXfont
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Description:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Ilja van Sprundel, a security researcher with IOActive, has discovered
several issues in the way the libXfont library handles the responses=20
it receives from xfs servers, and has worked with X.Org's security team=20
to analyze, confirm, and fix these issues.

Most of these issues stem from libXfont trusting the font server to send
valid protocol data, and not verifying that the values will not overflow=20
or cause other damage.   This code is commonly called from the X server=20
when an X Font Server is active in the font path, so may be running in a=20
setuid-root process depending on the X server in use.  Exploits of this
path could be used by a local, authenticated user to attempt to raise
privileges; or by a remote attacker who can control the font server to
attempt to execute code with the privileges of the X server.  (CVE-2014-XXXA
is the exception, as it does not involve communication with a font server,
as explained below.)

The vulnerabilities are:

- CVE-2014-0209: integer overflow of allocations in font metadata file pars=
ing

    When a local user who is already authenticated to the X server adds
    a new directory to the font path, the X server calls libXfont to open
    the fonts.dir and fonts.alias files in that directory and add entries
    to the font tables for every line in it.  A large file (~2-4 gb) could
    cause the allocations to overflow, and allow the remaining data read=20
    from the file to overwrite other memory in the heap.

    Affected functions: FontFileAddEntry(), lexAlias()

- CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies

    When parsing replies received from the font server, these calls do not
    check that the lengths and/or indexes returned by the font server are
    within the size of the reply or the bounds of the memory allocated to
    store the data, so could write past the bounds of allocated memory when
    storing the returned data.

    Affected functions: _fs_recv_conn_setup(), fs_read_open_font(),
    fs_read_query_info(), fs_read_extent_info(), fs_read_glyphs(),
    fs_read_list(), fs_read_list_info()

- CVE-2014-0211: integer overflows calculating memory needs for xfs replies

    These calls do not check that their calculations for how much memory
    is needed to handle the returned data have not overflowed, so can
    result in allocating too little memory and then writing the returned
    data past the end of the allocated buffer.

    Affected functions: fs_get_reply(), fs_alloc_glyphs(),
    fs_read_extent_info()


Affected Versions
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

X.Org believes all prior versions of this library contain these flaws,
dating back to its introduction in X11R5.


Fixes
=3D=3D=3D=3D=3D

Fixes are available in the patches for these libXfont git commits:
	2f5e57317339c526e6eaee1010b0e2ab8089c42e
	05c8020a49416dd8b7510cbba45ce4f3fc81a7dc
	891e084b26837162b12f841060086a105edde86d
	cbb64aef35960b2882be721f4b8fbaa0fb649d12
	0f1a5d372c143f91a602bdf10c917d7eabaee09b
	491291cabf78efdeec8f18b09e14726a9030cc8f
	c578408c1fd4db09e4e3173f8a9e65c81cc187c1
	a42f707f8a62973f5e8bbcd08afb10a79e9cee33
	a3f21421537620fc4e1f844a594a4bcd9f7e2bd8
	520683652564c2a4e42328ae23eef9bb63271565
	5fa73ac18474be3032ee7af9c6e29deab163ea39
	d338f81df1e188eb16e1d6aeea7f4800f89c1218

Which are available now from:
      git://anongit.freedesktop.org/git/xorg/lib/libXfont
      http://cgit.freedesktop.org/xorg/lib/libXfont/

Fixes will also be included in these module releases from X.Org:
      libXfont 1.4.8
      libXfont 1.4.99.901 (1.5.0 RC 1)

Thanks
=3D=3D=3D=3D=3D=3D

X.Org thanks Ilja van Sprundel of IOActive for reporting these issues to our
security team and assisting them in understanding them and evaluating our
fixes, and Alan Coopersmith of Oracle for coordinating the X.Org response a=
nd
developing the fixes for these issues.

--=20
	-Alan Coopersmith-              alan.coopersmith@oracle.com
	  X.Org Security Response Team - xorg-security@lists.x.org

--3OBcX0kPS7YKY6iD
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (SunOS)

iQIcBAEBCgAGBQJTcjVLAAoJEM/fFIgoxkKnpBgP/j9J+5NFYJzUIsFwwvT45RuJ
26SMXzXYhquq+hZ5II748Nq7LAUL+1KUvGFMH1ap+qEedQ977lEoN6uHe5QfWhAG
wHaUHp5GRcXMEftEFuQs4huTYNRIAXyZoddLSop69Itm3EaINSuk15l8sBBs6NiT
F4bEZ/92xDgmzm8hX7ZsqVY7DN7LABHkeMlgYDypWXe0K86DsGEXBiLs7tQmVYXM
gqBunKjmv6kCSahLtQChTdF9r2F+YfZgwt68OPF5hQLcdco+D/v16sS1FkrWNgdf
i/Ej7WHayJugCsssacff0KOz4jV2QqKaftn5BgbxFkyMfNgRUw/tiMXKIMPro9A0
8ai+l58PuSKAEnG4r0I59+z4aeM54ERTCr+UCJBMjQ9XJbRdGOryr5rvhqKyykfM
SiNHqOW46Pr00a2jGktPaUcSbaY3lYuoTV22HGjoaCi5KMjnSOnkSt1GFyJ0hGb0
Y8zmPjN+nx1pdRZ3js7wimkxJji4W54gk6bWLpGKfU1e7YJiYY+MudYjV4Jwvkfx
55GTp3foo9QNRfbIY4rFo66FBeQjrVCT+//kTfmex5LGJKUvtyNq1gw7lxfs0ZNx
n715SJbf6QLJNJNYl99LNTR7OR9ujDPFzZd21aMkZgg3SnlR4HswZtGfRuHGkbvX
CUxc0J6yrXYN96qN9N8w
=nB/c
-----END PGP SIGNATURE-----

--3OBcX0kPS7YKY6iD--

--===============1412085593==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
xorg-announce mailing list
xorg-announce@lists.x.org
http://lists.x.org/mailman/listinfo/xorg-announce

--===============1412085593==--