Bug 1203719 (CVE-2015-1804)

Summary: CVE-2015-1804 libXfont: out-of-bounds memory access in bdfReadCharacters
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: btissoir, fonts-bugs, jshort, sandmann, tfrazier
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libXfont 1.5.1, libXfont 1.4.9 Doc Type: Bug Fix
Doc Text:
An integer truncation flaw was discovered in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with the privileges of the X.Org server.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:40:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1203720, 1258892, 1258893, 1258894, 1258895    
Bug Blocks: 1203722    

Description Martin Prpič 2015-03-19 14:14:03 UTC 
The bdf parser read metrics values as 32-bit integers, but stored them into 16-bit integers. Overflows could occur in various operations leading to out-of-bounds memory access.

A local user could exploit this issue to potentially execute arbitrary code with the privileges of the X.Org server.

Upstream patch:

http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=2351c83a77a478b49cba6beb2ad386835e264744

External References:

http://www.x.org/wiki/Development/Security/Advisory-2015-03-17/
Comment 1 Martin Prpič 2015-03-19 14:15:14 UTC 
Created libXfont tracking bugs for this issue:

Affects: fedora-all [bug 1203720]
Comment 2 Fedora Update System 2015-03-23 07:17:15 UTC 
libXfont-1.5.1-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 errata-xmlrpc 2015-09-03 11:26:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2015:1708 https://rhn.redhat.com/errata/RHSA-2015-1708.html
Comment 5 ddu 2015-09-07 05:07:51 UTC 
Hi guys,

Does this problem CVE affect libXfont shipped with RHEL5?

Best regards,
Dapeng
Comment 6 Matt Goldman 2015-09-07 14:08:32 UTC 
Dapeng,

Yes, from the whiteboard RHEL 5 is affected:

  rhel-5/libXfont=affected

However, RHEL 5 has entered Production Phase 3 as of January 31, 2014. As per our errata policy:
    
    "During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available."
    Red Hat Enterprise Linux Life Cycle
    https://access.redhat.com/support/policy/updates/errata#Production_3_Phase

This means that Red Hat will not be addressing Low, Moderate, or Important impact CVE's in relation to RHEL 5.