Fixed: NetBSD-current: August 31, 2003
(xsrc is not branched by NetBSD release)
Abstract
========
There is an integer overflow in the XFree86 font libraries, which could lead to
potential privilege escalation and/or remote code execution.
Technical Details
=================
http://www.securityfocus.com/archive/1/335592
As seen in this advisory, the exact details of these issues have not been
shared.
Solutions and Workarounds
=========================
Workaround (proposed in the XFree86 advisory):
Ensure that neither xfs nor the X server include untrusted font servers in
their font search paths. Xfs is not started by default in NetBSD and the
X server contains only directories under /usr/X11R6/lib/X11/fonts in its
font path.
To prevent the local privilege escalation problem, remove the suid bit from the
Xserver binary. This will mean that only root can start the X server.
chmod u-s /usr/X11R6/bin/XFree86
Please note that removing the suid bit will NOT prevent a compromise due to
malicious fonts.
Fix:
The following instructions describe how to upgrade your X
binaries by updating your source tree and rebuilding and
installing a new version of X.
* NetBSD (all versions):
Systems running NetBSD with X dated from before 2003-08-30
should be upgraded to NetBSD with X dated 2003-08-31 or later.
Unlike the main NetBSD source tree (src), xsrc is not branched
based on NetBSD versions.
The following directories need to be updated from the netbsd CVS:
xsrc/xc/lib/font/fc
xsrc/xc/lib/FS
xsrc/xfree/xc/lib/font/fc
xsrc/xfree/xc/lib/FS
To update from CVS, re-build, and re-install X:
# cd xsrc
# cvs update -d -P xc/lib/font/fc xc/lib/FS xfree/xc/lib/font/fc xfree/xc/lib/FS
# make build
(The 'build' target performs installation as well as compilation)
Thanks To
=========
Matthias Scheler
Revision History
================
2003-10-09 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2003-015.tx
t.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2003, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2003-015
=================================
Topic: Remote and local vulnerabilities in XFree86 font libraries
Version: NetBSD-current: source prior to August 31, 2003
NetBSD 1.6.1: affected
NetBSD 1.6: affected
NetBSD-1.5.3: affected
NetBSD-1.5.2: affected
NetBSD-1.5.1: affected
NetBSD-1.5: affected
Severity: High, for systems running an X server.
Fixed: NetBSD-current: August 31, 2003
(xsrc is not branched by NetBSD release)
Abstract
========
There is an integer overflow in the XFree86 font libraries, which could lead to
potential privilege escalation and/or remote code execution.
Technical Details
=================
http://www.securityfocus.com/archive/1/335592
As seen in this advisory, the exact details of these issues have not been
shared.
Solutions and Workarounds
=========================
Workaround (proposed in the XFree86 advisory):
Ensure that neither xfs nor the X server include untrusted font servers in
their font search paths. Xfs is not started by default in NetBSD and the
X server contains only directories under /usr/X11R6/lib/X11/fonts in its
font path.
To prevent the local privilege escalation problem, remove the suid bit from the
Xserver binary. This will mean that only root can start the X server.
chmod u-s /usr/X11R6/bin/XFree86
Please note that removing the suid bit will NOT prevent a compromise due to
malicious fonts.
Fix:
The following instructions describe how to upgrade your X
binaries by updating your source tree and rebuilding and
installing a new version of X.
* NetBSD (all versions):
Systems running NetBSD with X dated from before 2003-08-30
should be upgraded to NetBSD with X dated 2003-08-31 or later.
Unlike the main NetBSD source tree (src), xsrc is not branched
based on NetBSD versions.
The following directories need to be updated from the netbsd CVS:
xsrc/xc/lib/font/fc
xsrc/xc/lib/FS
xsrc/xfree/xc/lib/font/fc
xsrc/xfree/xc/lib/FS
To update from CVS, re-build, and re-install X:
# cd xsrc
# cvs update -d -P xc/lib/font/fc xc/lib/FS xfree/xc/lib/font/fc xfree/xc/lib/FS
# make build
(The 'build' target performs installation as well as compilation)
Thanks To
=========
Matthias Scheler
Revision History
================
2003-10-09 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2003-015.tx
t.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2003, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2003-015.txt,v 1.4 2003/10/09 03:30:14 groo Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBP4V/2j5Ru2/4N2IFAQGksgQAgDjq8uINDBkHiA+xou+YcQjpQf5JGxCB
JPxjNJQx7Huh5ysfzML353uQ/Xp7qmDzTen6rfbgucX/glWH4vOeBoDcFuDi0jbj
WId1u2gsV87lFuMD365r6ZPnD1UikQuU5+0L2QQto9yXwSWsiUZvTW3/e2EKexAc
c4vKGBzp4Rc=
=UbHb
-----END PGP SIGNATURE-----
[ reply ]