[Bug 1203715] New: CVE-2015-1802 libXfont: missing range check in bdfReadProperties

bugzilla at redhat.com bugzilla at redhat.com
Thu Mar 19 14:08:08 UTC 2015


https://bugzilla.redhat.com/show_bug.cgi?id=1203715

            Bug ID: 1203715
           Summary: CVE-2015-1802 libXfont: missing range check in
                    bdfReadProperties
           Product: Security Response
         Component: vulnerability
          Keywords: Security
          Severity: medium
          Priority: medium
          Assignee: security-response-team at redhat.com
          Reporter: mprpic at redhat.com
                CC: btissoir at redhat.com,
                    fonts-bugs at lists.fedoraproject.org,
                    sandmann at redhat.com



The bdf parser reads a count for the number of properties defined in a font
from the font file, and allocates arrays with entries for each property based
on that count. It never checked to see if that count was negative, or large
enough to overflow when multiplied by the size of the structures being
allocated, and could thus allocate the wrong buffer size, leading to out of
bounds writes.

A local user could exploit this issue to potentially execute arbitrary code
with the privileges of the X.Org server.

Upstream advisory:

http://seclists.org/oss-sec/2015/q1/865

Upstream patch:

http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=lX6DTEkBbs&a=cc_unsubscribe


More information about the fonts-bugs mailing list