From Matthieu Herrb: iDefense has brought to X.Org's security team 2 vulnerabilities in X.Org's font server, xfs. The 1st one is an integer overflow in the build_range() function, exploitable by the QueryXBitmaps and QueryXExtents requests. The 2nd one is a potential heap overflow in the swap_char2b() function, exploitable by the same 2 requests, to arbitrarily swap bytes 2 by two on the heap. X.Org 7.3 (released today) as well all previous versions are vulnerable. Other implementations of the X font server based on the original X/MIT implementation are likely to be vulnerable too. The impact of these vulnerabilities is pretty low according to both iDefense's analysis and mine: most modern systems ship xfs either disabled by default or listening only to a local Unix domain socket, so it's not remotely accessible, and moreover the nature of the overflow make it difficult to actually exploit the vulnerability to get code executed (but it's not strictly speaking impossible afaict), and last xfs should not be running as root anywhere. Disclosure date: October 2, 14H GMT
Created attachment 189581 [details] Upstream patch against X.Org 7.2 for first issue.
Created attachment 189591 [details] Upstream patch against X.Org 7.2 for second issue.
I believe these flaws should be given a low severity rating. The worst possible outcome would be a local user gaining access to the xfs user, which really only has access to the xfs daemon. Even if the xfs daemon dies, a running X session will continue, so there is minimal loss of functionality.
Created attachment 197041 [details] Updated patch provided by Matthieu Herrb (both fixed now in one patch)
Lifting embargo; http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=602
Each of the vulnerabilities now got separate CVE id: CVE-2007-4568: Integer overflow in the build_range function in X.Org X Font Server (xfs) before 1.0.5 allows context-dependent attackers to execute arbitrary code via (1) QueryXBitmaps and (2) QueryXExtents protocol requests with crafted size values, which triggers a heap-based buffer overflow. Second issue was assigned CVE id CVE-2007-4990, see separate bug #322961.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0030.html http://rhn.redhat.com/errata/RHSA-2008-0029.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2007-4263
Statement: Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.