[arch-security] [ASA-201503-15] libxfont: multiple issues

Levente Polyak anthraxx at archlinux.org
Tue Mar 17 21:40:33 UTC 2015

Arch Linux Security Advisory ASA-201503-15

Severity: Critical
Date    : 2015-03-17
CVE-ID  : CVE-2015-1802 CVE-2015-1803 CVE-2015-1804
Package : libxfont
Type    : multiple issues
Remote  : No
Link    : https://wiki.archlinux.org/index.php/CVE


The package libxfont before version 1.5.1-1 is vulnerable to multiple
issues including denial of service and out-of-bounds memory read/write
leading to arbitrary code execution with the privileges of the X server.


Upgrade to 1.5.1-1.

# pacman -Syu "libxfont>=1.5.1-1"

The problem has been fixed upstream in version 1.5.1.




As libXfont is used by the X server to read font files, and an
unprivileged user with access to the X server can tell the X server to
read a given font file from a path of their choosing, these
vulnerabilities have the potential to allow unprivileged users to run
code with the privileges of the X server (often root access).

- CVE-2015-1802 (out-of-bounds memory write)

The bdf parser reads a count for the number of properties defined in a
font from the font file, and allocates arrays with entries for each
property based on that count.  It never checked to see if that count was
negative, or large enough to overflow when multiplied by the size of the
structures being allocated, and could thus allocate the wrong buffer
size, leading to out of bounds writes.

- CVE-2015-1803 (denial of service)

If the bdf parser failed to parse the data for the bitmap for any
character, it would proceed with an invalid pointer to the bitmap data
and later crash when trying to read the bitmap from that pointer.

- CVE-2015-1804 (out-of-bounds memory read)

The bdf parser read metrics values as 32-bit integers, but stored them
into 16-bit integers. Overflows could occur in various operations
leading to out-of-bounds memory access.


A local attacker is able to use specially crafted font files to perform
denial of service or execute arbitrary code with the privileges of the X
server resulting in local privilege escalation.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150317/9656d7ec/attachment.asc>

More information about the arch-security mailing list