LibXfont, monolithic X.org: Multiple integer overflows — GLSA 200609-07

Some buffer overflows were discovered in the CID font parser, potentially resulting in the execution of arbitrary code with elevated privileges.

Affected packages

x11-libs/libXfont on all architectures
Affected versions < 1.2.1
Unaffected versions >= 1.2.1
x11-base/xorg-x11 on all architectures
Affected versions < 7.0
Unaffected versions >= 7.0

Background

libXfont is the X.Org Xfont library, some parts are based on the FreeType code base.

Description

Several integer overflows have been found in the CID font parser.

Impact

A remote attacker could exploit this vulnerability by enticing a user to load a malicious font file resulting in the execution of arbitrary code with the permissions of the user running the X server which typically is the root user. A local user could exploit this vulnerability to gain elevated privileges.

Workaround

Disable CID-encoded Type 1 fonts by removing the "type1" module and replacing it with the "freetype" module in xorg.conf.

Resolution

All libXfont users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=x11-libs/libXfont-1.2.1"

All monolithic X.org users are advised to migrate to modular X.org.

References

Release date
September 13, 2006

Latest revision
September 13, 2006: 01

Severity
high

Exploitable
local and remote

Bugzilla entries