Red Hat Bugzilla – Bug 74228
12000 point Monospace leads to swap thrashing
Last modified: 2008-05-01 11:38:03 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020830
Description of problem:
An attacker can set the font size to 12000 points, subsequently causing the
computer to thrash and slowing things down into a miserable mess.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Go to the profile editor (either for the current one or for another profile,
it doesn't seem to matter).
2. Go to the font selector
3. Select Monospace, and punch in a 12000 point size.
4. Attempt to click on "OK".
Actual Results: Computer seems to become a perpetual thrashing machine (with
256MB RAM and 2GB swap -- I can't easily test this on computers with more RAM at
Expected Results: Perhaps an error message
This bug may have security implications on systems with untrusted local users.
Making the point size too big (say, 18000) just leads to an immediate segfault.
We should clamp the possible font size, but I don't consider it a security issue
because a user can only do this to themselves, someone else can't do it to you.
This is a potential local DoS for LTSP. Any malicious user could possibly
cripple it for everyone.
No more than with a trivial fork bomb or shell script. Being able to use all
system resources doesn't count as a security problem, there are millions of ways
to do it, unless you have set up hard resource quotas.
It's DoS'able via CSS in web browsers.
Known issue in libXfont.
Can't find the existing bug dupe, reassigning....
Found the duplicate bug number... closing as duplicate
*** This bug has been marked as a duplicate of 66658 ***