Font server vulnerable on UNIX systems
Two vulnerabilities in X.org's X Window System Font Server (XFS) allow users logged into the system to escalate their access rights; under Solaris, the escalation is reportedly even possible via remote access. An X Font Server can run locally or in a network to provide X Servers with a number of fonts and handle rendering on their behalf. Originally, the Font Server was required because XFree did not support any TrueType fonts. However, this function has been a part of the X-Server since XFree 4.x. On the other hand, fonts can only be rendered by a separate process, the font server, for performance reasons. In networks, XFS runs on TCP port 7100.
The current problems are the result of an integer overflow and a heap overflow in the handling of QueryXBitmaps and QueryXExtents requests, which iDefense says allow code to be injected into memory and executed with the rights of the XFS. Font Server 1.0.4, which is contained in X.org's X11R7.2-1.0.4, is affected. The flaw has been remedied in version 1.0.5, and the patch has also been released. In the past, the XFree Server has generally been the culprit whenever there were holes in X.org products, though iDefense does not explicitly mention this fact in its security advisory.
iDefense does say that the XFS only listens to UNIX sockets on modern Linux distributions. On Solaris, however, the service, which is active in the standard settings, does communicate via the aforementioned port. As a result, the flaw can also be exploited remotely to open, for instance, a remote shell, though this is generally only possible within a LAN. As a workaround for Solaris, iDefense suggests disabling the service via the Service Manager.
- X.Org security advisory: multiple vulnerabilities in X font server, X.org's announcement
- Multiple Vendor X Font Server Multiple Vulnerabilities, iDefense's security advisory