Arch Linux Security Advisory ASA-201503-15 ========================================== Severity: Critical Date : 2015-03-17 CVE-ID : CVE-2015-1802 CVE-2015-1803 CVE-2015-1804 Package : libxfont Type : multiple issues Remote : No Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package libxfont before version 1.5.1-1 is vulnerable to multiple issues including denial of service and out-of-bounds memory read/write leading to arbitrary code execution with the privileges of the X server. Resolution ========== Upgrade to 1.5.1-1. # pacman -Syu "libxfont>=1.5.1-1" The problem has been fixed upstream in version 1.5.1. Workaround ========== None. Description =========== As libXfont is used by the X server to read font files, and an unprivileged user with access to the X server can tell the X server to read a given font file from a path of their choosing, these vulnerabilities have the potential to allow unprivileged users to run code with the privileges of the X server (often root access). - CVE-2015-1802 (out-of-bounds memory write) The bdf parser reads a count for the number of properties defined in a font from the font file, and allocates arrays with entries for each property based on that count. It never checked to see if that count was negative, or large enough to overflow when multiplied by the size of the structures being allocated, and could thus allocate the wrong buffer size, leading to out of bounds writes. - CVE-2015-1803 (denial of service) If the bdf parser failed to parse the data for the bitmap for any character, it would proceed with an invalid pointer to the bitmap data and later crash when trying to read the bitmap from that pointer. - CVE-2015-1804 (out-of-bounds memory read) The bdf parser read metrics values as 32-bit integers, but stored them into 16-bit integers. Overflows could occur in various operations leading to out-of-bounds memory access. Impact ====== A local attacker is able to use specially crafted font files to perform denial of service or execute arbitrary code with the privileges of the X server resulting in local privilege escalation. References ========== http://www.openwall.com/lists/oss-security/2015/03/17/5 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1802 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1803 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1804 https://bugs.archlinux.org/task/44226