NetBSD Security Advisory 2003-015: Remote and local vulnerabilities in XFree86 font libraries

[NetBSD Security Officer <security-officer@xxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----


                 NetBSD Security Advisory 2003-015
                 =================================

Topic:          Remote and local vulnerabilities in XFree86 font libraries

Version:        NetBSD-current: source prior to August 31, 2003
                NetBSD 1.6.1:   affected
                NetBSD 1.6:     affected
                NetBSD-1.5.3:   affected
                NetBSD-1.5.2:   affected
                NetBSD-1.5.1:   affected
                NetBSD-1.5:     affected

Severity:       High, for systems running an X server.

Fixed:          NetBSD-current:         August 31, 2003
                (xsrc is not branched by NetBSD release)


Abstract
========

There is an integer overflow in the XFree86 font libraries, which could lead to
potential privilege escalation and/or remote code execution.


Technical Details
=================

http://www.securityfocus.com/archive/1/335592

As seen in this advisory, the exact details of these issues have not been
shared.


Solutions and Workarounds
=========================

Workaround (proposed in the XFree86 advisory):

Ensure that neither xfs nor the X server include untrusted font servers in
their font search paths.  Xfs is not started by default in NetBSD and the
X server contains only directories under /usr/X11R6/lib/X11/fonts in its
font path.

To prevent the local privilege escalation problem, remove the suid bit from the
Xserver binary.  This will mean that only root can start the X server.

        chmod u-s /usr/X11R6/bin/XFree86

Please note that removing the suid bit will NOT prevent a compromise due to
malicious fonts.

Fix:

The following instructions describe how to upgrade your X
binaries by updating your source tree and rebuilding and
installing a new version of X.

* NetBSD (all versions):

        Systems running NetBSD with X dated from before 2003-08-30
        should be upgraded to NetBSD with X dated 2003-08-31 or later.

        Unlike the main NetBSD source tree (src), xsrc is not branched
        based on NetBSD versions.

        The following directories need to be updated from the netbsd CVS:
                xsrc/xc/lib/font/fc
                xsrc/xc/lib/FS
                xsrc/xfree/xc/lib/font/fc
                xsrc/xfree/xc/lib/FS


        To update from CVS, re-build, and re-install X:
                # cd xsrc
                # cvs update -d -P xc/lib/font/fc xc/lib/FS \
                        xfree/xc/lib/font/fc xfree/xc/lib/FS

                # make build

(The 'build' target performs installation as well as compilation)


Thanks To
=========

Matthias Scheler


Revision History
================

        2003-10-09      Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2003-015.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2003, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2003-015.txt,v 1.4 2003/10/09 03:30:14 groo Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBP4V/2j5Ru2/4N2IFAQGksgQAgDjq8uINDBkHiA+xou+YcQjpQf5JGxCB
JPxjNJQx7Huh5ysfzML353uQ/Xp7qmDzTen6rfbgucX/glWH4vOeBoDcFuDi0jbj
WId1u2gsV87lFuMD365r6ZPnD1UikQuU5+0L2QQto9yXwSWsiUZvTW3/e2EKexAc
c4vKGBzp4Rc=
=UbHb
-----END PGP SIGNATURE-----