Vulnerability Discovered in X Font Server

Oct 04, 2007

Two protocol handlers give attackers the ability to inject malicious code into X Font Server (XFS). Linux systems are only vulnerable to local attacks. The X Font Server is not accessible over networks by default.

The bug (CVE-2007-4568) in the handler for QueryXBitmap and QueryXExtents protocol requests can trigger integer overflows. In both protocols this triggers a call to the "build_range()" function which expects a 32 bit integer value with the request, and calculates the dynamic memory size. The calculation can overflow causing incorrect memory allocation. This results in a heap overflow. A second vulnerability affects the "swap_char2b()". Calling the function gives attackers the ability to store an arbitrary number of values on the heap. A successful exploit would give an attacker the ability to execute arbitrary code.

Security experts with Idefense tested a Solaris system. Solaris calls XFS by default on booting, and sets up the X Server to listen on port 7100, which would thus open up a remote attack vector. Idefense discovered the vulnerability in XFS version X11R7.2-1.0.4, although earlier versions may also be affected.

The has fixed the issue in the new XFS 1.0.5 Version. A patch is available for for version 1.0.4 (X11R7.3).

Related content

comments powered by Disqus

Issue 272/2023

Buy this issue as a PDF

Digital Issue: Price $12.99
(incl. VAT)

Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters