Public bug reported: This libXfont issue could allow attackers to execute privileges with the same rights as the X.Org Server, which is generally root. The advisory reads: Ilja van Sprundel, a security researcher with IOActive, has discovered an issue in the parsing of BDF font files by libXfont. Additional testing by Alan Coopersmith and William Robinet with the American Fuzzy Lop (afl) tool uncovered two more issues in the parsing of BDF font files.
As libXfont is used by the X server to read font files, and an unprivileged user with access to the X server can tell the X server to read a given font file from a path of their choosing, these vulnerabilities have the potential to allow unprivileged users to run code with the privileges of the X server (often root access). The resulting CVEs are "CVE-2015-1802: bdfReadProperties: property count needs range check", "CVE-2015-1803: bdfReadCharacters: bailout if a char's bitmap cannot be read", and "CVE-2015-1804: bdfReadCharacters: ensure metrics fit into xCharInfo struct." http://www.phoronix.com/scan.php?page=news_item&px=BDF-File-Parsing- libXfont ProblemType: Bug DistroRelease: Ubuntu 15.04 Package: libxfont1 1:1.4.99.901-1 ProcVersionSignature: Ubuntu 3.19.0-9.9-generic 3.19.1 Uname: Linux 3.19.0-9-generic i686 NonfreeKernelModules: nvidia .proc.driver.nvidia.registry: Binary: "" .proc.driver.nvidia.version: NVRM version: NVIDIA UNIX x86 Kernel Module 346.47 Thu Feb 19 18:02:21 PST 2015 GCC version: gcc version 4.9.2 (Ubuntu 4.9.2-10ubuntu8) ApportVersion: 2.16.2-0ubuntu3 Architecture: i386 CurrentDesktop: GNOME Date: Tue Mar 17 18:05:30 2015 DistUpgraded: Fresh install DistroCodename: vivid DistroVariant: ubuntu DkmsStatus: nvidia-346, 346.47, 3.19.0-9-generic, i686: installed vboxhost, 4.3.26, 3.19.0-9-generic, i686: installed GraphicsCard: NVIDIA Corporation GM107 [GeForce GTX 750] [10de:1381] (rev a2) (prog-if 00 [VGA controller]) Subsystem: Gigabyte Technology Co., Ltd Device [1458:362e] Lsusb: Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 003 Device 002: ID 046d:c50e Logitech, Inc. Cordless Mouse Receiver Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub MachineType: ASUSTEK COMPUTER INC P5W DH Deluxe ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.19.0-9-generic root=UUID=7b1f4a51-558f-468f-85e0-f815d2f791e1 ro SourcePackage: libxfont UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 07/22/2010 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: 3002 dmi.board.asset.tag: To Be Filled By O.E.M. dmi.board.name: P5W DH Deluxe dmi.board.vendor: ASUSTeK Computer INC. dmi.board.version: Rev 1.xx dmi.chassis.asset.tag: Asset-1234567890 dmi.chassis.type: 3 dmi.chassis.vendor: Chassis Manufacture dmi.chassis.version: Chassis Version dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr3002:bd07/22/2010:svnASUSTEKCOMPUTERINC:pnP5WDHDeluxe:pvrSystemVersion:rvnASUSTeKComputerINC.:rnP5WDHDeluxe:rvrRev1.xx:cvnChassisManufacture:ct3:cvrChassisVersion: dmi.product.name: P5W DH Deluxe dmi.product.version: System Version dmi.sys.vendor: ASUSTEK COMPUTER INC version.compiz: compiz 1:0.9.12.1+15.04.20150303-0ubuntu1 version.libdrm2: libdrm2 2.4.59-0ubuntu1 version.libgl1-mesa-dri: libgl1-mesa-dri 10.5.0-0ubuntu1 version.libgl1-mesa-dri-experimental: libgl1-mesa-dri-experimental N/A version.libgl1-mesa-glx: libgl1-mesa-glx 10.5.0-0ubuntu1 version.nvidia-graphics-drivers: nvidia-graphics-drivers N/A version.xserver-xorg-core: xserver-xorg-core 2:1.17.1-0ubuntu2 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev 1:2.9.0-1ubuntu2 version.xserver-xorg-video-ati: xserver-xorg-video-ati N/A version.xserver-xorg-video-intel: xserver-xorg-video-intel N/A version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.11-1ubuntu2build1 xserver.bootTime: Tue Mar 17 07:28:42 2015 xserver.configfile: default xserver.devices: input Power Button KEYBOARD, id 6 input Power Button KEYBOARD, id 7 input Logitech USB RECEIVER MOUSE, id 8 input AT Translated Set 2 keyboard KEYBOARD, id 9 xserver.errors: Failed to load module "fbdev" (module does not exist, 0) Failed to load module "fbdev" (module does not exist, 0) xserver.logfile: /var/log/Xorg.0.log xserver.outputs: xserver.version: 2:1.17.1-0ubuntu2 ** Affects: libxfont (Ubuntu) Importance: Undecided Status: New ** Tags: apport-bug i386 ubuntu vivid -- You received this bug notification because you are a member of Ubuntu-X, which is subscribed to libxfont in Ubuntu. https://bugs.launchpad.net/bugs/1433214 Title: execution security issue To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxfont/+bug/1433214/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~ubuntu-x-swat Post to : ubuntu-x-swat@lists.launchpad.net Unsubscribe : https://launchpad.net/~ubuntu-x-swat More help : https://help.launchpad.net/ListHelp
