[Please upgrade to 1.5 when it is released if you use xfstt. As far as I know xfstt functionality has been subsumed into the standard font server, xfs -- Raju]
This is an RFC 1153 digest. (1 message) ---------------------------------------------------------------------- Message-ID: <[EMAIL PROTECTED]> From: ruben unteregger <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: xfstt-1.4 vulnerability Date: Tue, 15 Jul 2003 00:38:20 +0200 --------------------------------------------------------------- ERA IT Solutions AG http://www.era-it.ch Security Advisory - xfstt-1.4 vulnerability - 11/07/2003 --------------------------------------------------------------- 1. Vulnerability description 2. Impact 3. Notification status 4. Exploit status 5. Contact --------------------------------------------------------------- 1. Vulnerability description The X Fontserver for Truetype fonts 1.4 (http://developer.berlios.de/projects/xfstt/ <http://freshmeat.net/redir/xfstt/11925/url_homepage/xfstt>) contains vulnerability holes which can be initiated remotely. In xfstt.cc:working() the switch(buf[0]) { .. } statement is very insecurely implemented. No boundary checks on any network-received buffers are done. At least in two cases, namely FS_QueryXExtents8 and FS_QueryXBitmaps8, it is possible to arrange a packet which sets 'req->num_ranges' to a very big number that causes an array out of boundary access within the next for-loop. This bug leads to a segmentation fault of the specific child and might even let an attacker execute arbitrary code. 2. Impact It's yet unclear if this bug is exploitable or not. With a specially crafted packet you can disable/DoS the daemon. 3. Notification status The Author of xfstt (Guillem Jover) has been notified on May 28, 2003. There is no patch available, though version 1.5 is soon to be released. 4. Exploit status A proof-of-concept DoS exploit exists, albeit unreleased. 5. Contact [EMAIL PROTECTED] --------------------------------------------------------------- Thanks to Jonathan Heusser who originally found this bug. ------------------------------ End of this Digest ****************** -- Raj Mathur [EMAIL PROTECTED] http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F It is the mind that moves ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ linux-india-help mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/linux-india-help
