copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
Search this site

On this site

 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login


ESB-2014.0840 - [NetBSD] libXfont: Root compromise - Existing account

Date: 29 May 2014
References: ESB-2014.0726  ESB-2014.2163  

Click here for printable version
Click here for PGP verifiable version
Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                     libXfont multiple vulnerabilities
                                29 May 2014


        AusCERT Security Bulletin Summary

Product:          libXfont
Publisher:        NetBSD
Operating System: NetBSD
Impact/Access:    Root Compromise -- Existing Account
Resolution:       Patch/Upgrade
CVE Names:        CVE-2014-0211 CVE-2014-0210 CVE-2014-0209

Reference:        ESB-2014.0726

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA1

		NetBSD Security Advisory 2014-005

Topic:		libXfont multiple vulnerabilities

Version:	NetBSD-current:		source prior to May 13th, 2014
		NetBSD 6.1 - 6.1.4:	affected
		NetBSD 6.0 - 6.0.5:	affected
		NetBSD 5.1 - 5.1.4:	affected
		NetBSD 5.2 - 5.2.2:	affected

Severity:	privilege escalation

Fixed:		NetBSD-current:		May 13th, 2014
		NetBSD-6-0 branch:	May 14th, 2014
		NetBSD-6-1 branch:	May 14th, 2014
		NetBSD-6 branch:	May 14th, 2014
		NetBSD-5-2 branch:	May 14th, 2014
		NetBSD-5-1 branch:	May 14th, 2014
		NetBSD-5 branch:	May 14th, 2014

Teeny versions released later than the fix date will contain the fix.

Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.


integer overflow of allocations in font metadata file parsing

This vulnerability has been assigned CVE-2014-0209

unvalidated length fields when parsing xfs protocol replies

This vulnerability has been assigned CVE-2014-0210

integer overflows calculating memory needs for xfs replies

This vulnerability has been assigned CVE-2014-0211

The X server commonly runs as root; the user using the X server
controls the fontpath.
A malicious local user could thus utilize buffer overflows via
setting the fontpath to a prepared font directory, or to
a malicious xfs server to execute code as root.

Technical Details

citing from the advisory:

integer overflow of allocations in font metadata file parsing

     When a local user who is already authenticated to the X server adds
     a new directory to the font path, the X server calls libXfont to open
     the fonts.dir and fonts.alias files in that directory and add entries
     to the font tables for every line in it.  A large file (~2-4 gb) could
     cause the allocations to overflow, and allow the remaining data read
     from the file to overwrite other memory in the heap.

unvalidated length fields when parsing xfs protocol replies

     When parsing replies received from the font server, these calls do not
     check that the lengths and/or indexes returned by the font server are
     within the size of the reply or the bounds of the memory allocated to
     store the data, so could write past the bounds of allocated memory when
     storing the returned data.

integer overflows calculating memory needs for xfs replies

     These calls do not check that their calculations for how much memory
     is needed to handle the returned data have not overflowed, so can

     result in allocating too little memory and then writing the returned
     data past the end of the allocated buffer.

Solutions and Workarounds

Update libXfont to a non-vulnerable version.

libXfont is contained in xbase.tgz, so get<r>/<d>/<a>/binary/sets/xbase.tgz
with <r>=release, <d>=date > 20140514, <a>=arch
(for example:
and then:
cd / ; tar xzpf xbase.tgz ./usr/X11R7/lib/
for xfree
cd / ; tar xzpf xbase.tgz ./usr/X11R6/lib/

or rebuild the system from fixed source with -x

Fixed versions: xsrc/external/mit/libXfont/dist/src/
                   HEAD  6            6-1          6-0
fc/fsconvert.c     1.2
fc/fserve.c        1.2
fontfile/dirfile.c 1.2

                   5            5-2              5-1

xfree: xsrc/xfree/xc/lib/font/
                   HEAD  6         6-1       6-0
fc/fsconvert.c     1.5
fc/fserve.c        1.5
fontfile/dirfile.c 1.5

                   5         5-2       5-1

Thanks To

Thanks to Ilja van Sprundel, a security researcher with IOActive, who
discovered the issues and the security team for developing fixes
and coordinating the vulnerability release.

Revision History

	2014-05-28	Initial release

More Information

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

Information about NetBSD and NetBSD security can be found at and .

Copyright 2014, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2014-005.txt,v 1.1 2014/05/27 23:53:20 tonnerre Exp $

Version: GnuPG v1


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.