Vulnerability Discovered in X Font Server

Oct 04, 2007

Two protocol handlers give attackers the ability to inject malicious code into X Font Server (XFS). Linux systems are only vulnerable to local attacks. The X Font Server is not accessible over networks by default.

The bug (CVE-2007-4568) in the handler for QueryXBitmap and QueryXExtents protocol requests can trigger integer overflows. In both protocols this triggers a call to the "build_range()" function which expects a 32 bit integer value with the request, and calculates the dynamic memory size. The calculation can overflow causing incorrect memory allocation. This results in a heap overflow. A second vulnerability affects the "swap_char2b()". Calling the function gives attackers the ability to store an arbitrary number of values on the heap. A successful exploit would give an attacker the ability to execute arbitrary code.

Security experts with Idefense tested a Solaris system. Solaris calls XFS by default on booting, and sets up the X Server to listen on port 7100, which would thus open up a remote attack vector. Idefense discovered the vulnerability in XFS version X11R7.2-1.0.4, although earlier versions may also be affected.

The X.org-Team has fixed the issue in the new XFS 1.0.5 Version. A patch is available for for version 1.0.4 (X11R7.3).

Related content

comments powered by Disqus

Issue 14: Raspberry Pi Handbook/Special Editions

Buy this issue as a PDF

Tag Cloud

Android Bruce Byfield Gnome KDE Kernel Linux Linux Pro Magazine Open Source Projects Red Hat Ubuntu events foss free software google

News