Several holes in the X.Org server

Security service provider iDefense has reported the discovery of a number of vulnerabilities in X.Org's X-Server that local users can exploit to escalate their privileges. Another vulnerability can even be remotely exploited.

The first hole concerns the routines that handle fonts in the BDF format. Fonts can be manipulated to cause an integer variable to overflow, allowing local users to escalate their rights. This flaw also concerns the freetype library. A similar vulnerability concerns the handling of font information files (fonts.dir). If the first line of this file contains a value larger than 2³⁰, a variable overflow also occurs with similar results.

The third security hole reported concerns the X-extension XC-MISC used to administer and allocate resources. Improper checks of values transmitted can cause memory to be overwritten in the ProcXCMiscGetXIDList() function, which looks for available resource IDs.

A fourth vulnerability, that could possibly be remotely exploitable from manipulated websites, involves the functions XGetPixel() and XInitImage(). Applications that link to these functions and are fed with specially prepared graphics which cause an integer variable overflow may crash or execute injected code.

The developers at X.Org have provided source code patches to close the holes. Linux distributors will probably be releasing updated packets soon; affected users are advised to install them as quickly as possible. Apparently, only Ubuntu has already provided patched packets.

See also:

• Multiple Vendor X Server BDF Font Parsing Integer Overflow Vulnerability, iDefense's security advisory
• Multiple Vendor X Server fonts.dir File Parsing Integer Overflow Vulnerability, iDefense's security advisory
• Multiple Vendor X Server XC-MISC Extension Memory Corruption Vulnerability, iDefense's security advisory
• Patch for the hole in XGetPixel and XInitImage

(mba)