This package appears to embed an old and vulnerable version of libXfont which is prone to CVE-2008-0006 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0006 There is also an older vulnerability in libXfont CVE-2006-3467 which I have not verified is or isn't present in nx. Version-Release number of selected component (if applicable): Name: nx Arch: i686 Version: 3.3.0 Release 38.fc12 Additional info: It has been hard to figure out exactly which version of libXfont is in nx. Instead I have done a diff between the current Fedora release of libXfont (1.4.1) and the nx version. Note that the CVE alert says that the version of libXfont that is first fixed is in 1.4.1. The diff shows a number of changes, but of note are some additional checks, some of which I will show from pcfread.c, which is what CVE-2008-0006 seems to relate to. @@ -137,7 +133,11 @@ return (PCFTablePtr) NULL; count = pcfGetLSB32(file); if (IS_EOF(file)) return (PCFTablePtr) NULL; - tables = (PCFTablePtr) xalloc(count * sizeof(PCFTableRec)); + if (count < 0 || count > INT32_MAX / sizeof(PCFTableRec)) { + pcfError("pcfReadTOC(): invalid file format\n"); + return NULL; + } + tables = malloc(count * sizeof(PCFTableRec)); if (!tables) { pcfError("pcfReadTOC(): Couldn't allocate tables (%d*%d)\n", count, sizeof(PCFTableRec)); return (PCFTablePtr) NULL; This seems fairly clear some integer overflow issues are being corrected. I have not included the complete diff which has more checks added. The preferred solution is that nx link against the system wide libXfont library to avoid potential future issues.
We looked at other vnc clients in the past for CVE-2008-0006 and it was determined that this issue was not security-sensitive as the application was not setuid (as Xorg/XFree86), so no trust boundary was crossed. When you are allowed to connect to remote VNC server and run arbitrary code there / setup arbitrary font paths / ..., there's unlikely to be any reason to exploit VNC flaws. Having said that, I think nx should use the system libXfont so I am leaving this bug open and encourage the maintainer to build nx in such a way as to use system libraries as per Fedora packaging policy: http://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries
Removing security restriction, the issue is public and is not considered security in this context (see comment #1).
This message is a reminder that Fedora 13 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '13'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 13's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 13 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Bumping this to rawhide; it isn't necessary to fix this in a release for F14/F15, but would be good to do so going forward (making nx use the system libXfont)
3.5.0-13 doesn't actually fix this (the change to the syslibs patch is a noop), I'm looking into getting the intended fix actually applied. Also, not that I object to it, but I'm not certain which of the criteria for hardening does this package meet (the changelog or commit message doesn't say), what do you think: https://fedoraproject.org/wiki/Packaging:Guidelines#PIE
It could be long-running, which was my thought. It wasn't intended as a "must" but as a "probably better to do it than not".
Ok, no problem with that. But building with system libXfont breaks nxagent, trying to connect fails: /usr/libexec/nx/nxagent: symbol lookup error: /usr/libexec/nx/nxagent: undefined symbol: check_fs_register_fpe_functions I don't have time to investigate more in the near future, so hopefully someone else can chime in. To actually build with system libXfont, change nx-3.5.0-syslibs.patch to move "#define XserverStaticFontLib NO" outside of the related C-style comment block instead of just removing # from the beginning of the line.
Any progress, or should I just revert?
No progress, but other than the misleading %changelog entry, I don't think the update does any harm - as noted the xfont related patch change was a no-op. So no need to revert at least yet IMO.
This almost trickled into F-18 so I've reverted it in -14; the libXi-devel build dep fix is something that needs to be fixed in libXtst-devel's deps instead (done in 1.2.1-3) so I've reverted that as well.
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle. Changing version to '19'. (As we did not run this process for some time, it could affect also pre-Fedora 19 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
Hello limburgher, Could you please fix this soon?
nx has been replaced/obsoleted by nx-libs which no longer embeds Xfont.