https://bugzilla.redhat.com/show_bug.cgi?id=1203719
Bug ID: 1203719 Summary: CVE-2015-1804 libXfont: out-of-bounds memory access in bdfReadCharacters Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: mprpic@redhat.com CC: btissoir@redhat.com, fonts-bugs@lists.fedoraproject.org, sandmann@redhat.com
The bdf parser read metrics values as 32-bit integers, but stored them into 16-bit integers. Overflows could occur in various operations leading to out-of-bounds memory access.
A local user could exploit this issue to potentially execute arbitrary code with the privileges of the X.Org server.
Upstream advisory:
http://seclists.org/oss-sec/2015/q1/865
Upstream patch:
http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=2351c83a77a478b49cb...
https://bugzilla.redhat.com/show_bug.cgi?id=1203719
Martin Prpic mprpic@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1203720
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1203720 [Bug 1203720] CVE-2015-1802 CVE-2015-1803 libXfont: various flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1203719
--- Comment #1 from Martin Prpic mprpic@redhat.com ---
Created libXfont tracking bugs for this issue:
Affects: fedora-all [bug 1203720]
https://bugzilla.redhat.com/show_bug.cgi?id=1203719
Martin Prpic mprpic@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1203722
https://bugzilla.redhat.com/show_bug.cgi?id=1203719 Bug 1203719 depends on bug 1203720, which changed state.
Bug 1203720 Summary: CVE-2015-1804 CVE-2015-1802 CVE-2015-1803 libXfont: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1203720
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1203719
--- Comment #2 from Fedora Update System updates@fedoraproject.org --- libXfont-1.5.1-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1203719
Stefan Cornelius scorneli@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|medium |high Severity|medium |high
https://bugzilla.redhat.com/show_bug.cgi?id=1203719
Taylor Frazier tfrazier@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |tfrazier@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1203719
Stefan Cornelius scorneli@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2015 |impact=important,public=201 |0317,reported=20150318,sour |50317,reported=20150318,sou |ce=internet,cvss2=4.4/AV:L/ |rce=internet,cvss2=4.4/AV:L |AC:M/Au:N/C:P/I:P/A:P,rhel- |/AC:M/Au:N/C:P/I:P/A:P,rhel |5/libXfont=affected,rhel-6/ |-5/libXfont=affected,rhel-6 |libXfont=affected,rhel-7/li |/libXfont=affected,rhel-7/l |bXfont=affected,fedora-all/ |ibXfont=affected,fedora-all |libXfont=affected |/libXfont=affected
--- Doc Text *updated* --- An integer truncation flaw was discovered in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could exploit this issue to crash the X.Org server or potentially execute arbitrary code with the privileges of the X.Org server.
https://bugzilla.redhat.com/show_bug.cgi?id=1203719
Stefan Cornelius scorneli@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |50317,reported=20150318,sou |50317,reported=20150318,sou |rce=internet,cvss2=4.4/AV:L |rce=internet,cvss2=4.4/AV:L |/AC:M/Au:N/C:P/I:P/A:P,rhel |/AC:M/Au:N/C:P/I:P/A:P,rhel |-5/libXfont=affected,rhel-6 |-5/libXfont=affected,rhel-6 |/libXfont=affected,rhel-7/l |/libXfont=affected,rhel-7/l |ibXfont=affected,fedora-all |ibXfont=affected,fedora-all |/libXfont=affected |/libXfont=affected,cwe=CWE- | |704->CWE-681->CWE-805
https://bugzilla.redhat.com/show_bug.cgi?id=1203719
--- Doc Text *updated* by Martin Prpic mprpic@redhat.com --- An integer truncation flaw was discovered in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with the privileges of the X.Org server.
https://bugzilla.redhat.com/show_bug.cgi?id=1203719
Peter Hutterer peter.hutterer@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1241939
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1241939 [Bug 1241939] bdftopcf: bdf input, xtfont4.bdf, corrupt
https://bugzilla.redhat.com/show_bug.cgi?id=1203719
Benjamin Tissoires btissoir@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks|1241939 |
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1241939 [Bug 1241939] bdftopcf: bdf input, xtfont4.bdf, corrupt
https://bugzilla.redhat.com/show_bug.cgi?id=1203719
Stefan Cornelius scorneli@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1258892
https://bugzilla.redhat.com/show_bug.cgi?id=1203719
Stefan Cornelius scorneli@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1258893
https://bugzilla.redhat.com/show_bug.cgi?id=1203719
Stefan Cornelius scorneli@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1258894
https://bugzilla.redhat.com/show_bug.cgi?id=1203719
Stefan Cornelius scorneli@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1258895
https://bugzilla.redhat.com/show_bug.cgi?id=1203719
--- Comment #4 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6
Via RHSA-2015:1708 https://rhn.redhat.com/errata/RHSA-2015-1708.html
https://bugzilla.redhat.com/show_bug.cgi?id=1203719
ddu@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |ddu@redhat.com
--- Comment #5 from ddu@redhat.com --- Hi guys,
Does this problem CVE affect libXfont shipped with RHEL5?
Best regards, Dapeng
https://bugzilla.redhat.com/show_bug.cgi?id=1203719
Matt Goldman magoldma@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |magoldma@redhat.com
--- Comment #6 from Matt Goldman magoldma@redhat.com --- Dapeng,
Yes, from the whiteboard RHEL 5 is affected:
rhel-5/libXfont=affected
However, RHEL 5 has entered Production Phase 3 as of January 31, 2014. As per our errata policy:
"During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available." Red Hat Enterprise Linux Life Cycle https://access.redhat.com/support/policy/updates/errata#Production_3_Phase
This means that Red Hat will not be addressing Low, Moderate, or Important impact CVE's in relation to RHEL 5.
https://bugzilla.redhat.com/show_bug.cgi?id=1203719
Stefan Cornelius scorneli@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |50317,reported=20150318,sou |50317,reported=20150318,sou |rce=internet,cvss2=4.4/AV:L |rce=internet,cvss2=6.9/AV:L |/AC:M/Au:N/C:P/I:P/A:P,rhel |/AC:M/Au:N/C:C/I:C/A:C,rhel |-5/libXfont=affected,rhel-6 |-5/libXfont=affected,rhel-6 |/libXfont=affected,rhel-7/l |/libXfont=affected,rhel-7/l |ibXfont=affected,fedora-all |ibXfont=affected,fedora-all |/libXfont=affected,cwe=CWE- |/libXfont=affected,cwe=CWE- |704->CWE-681->CWE-805 |704->CWE-681->CWE-805
fonts-bugs@lists.fedoraproject.org