107739 2003-07-15 21:24 /64 rader/ ruben unteregger <ruben.unteregger@era-it.ch>
Importerad: 2003-07-15 21:24 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5566>
Ärende: xfstt-1.4 vulnerability
------------------------------------------------------------
---------------------------------------------------------------
ERA IT Solutions AG http://www.era-it.ch
Security Advisory - xfstt-1.4 vulnerability - 11/07/2003
---------------------------------------------------------------
1. Vulnerability description
2. Impact
3. Notification status
4. Exploit status
5. Contact
---------------------------------------------------------------
1. Vulnerability description
The X Fontserver for Truetype fonts 1.4
(http://developer.berlios.de/projects/xfstt/
<http://freshmeat.net/redir/xfstt/11925/url_homepage/xfstt>) contains
vulnerability
holes which can be initiated remotely.
In xfstt.cc:working() the switch(buf[0]) { .. } statement is very
insecurely implemented. No boundary checks on any network-received
buffers are done. At least in two cases, namely FS_QueryXExtents8
and FS_QueryXBitmaps8, it is possible to arrange a packet which sets
'req->num_ranges' to a very big number that causes an array out of
boundary access within the next for-loop. This bug leads to a
segmentation fault of the specific child and might even let an
attacker execute arbitrary code.
2. Impact
It's yet unclear if this bug is exploitable or not. With a specially
crafted packet you can disable/DoS the daemon.
3. Notification status
The Author of xfstt (Guillem Jover) has been notified on May 28, 2003.
There is no
patch available, though version 1.5 is soon to be released.
4. Exploit status
A proof-of-concept DoS exploit exists, albeit unreleased.
5. Contact
era@era-it.ch
---------------------------------------------------------------
Thanks to Jonathan Heusser who originally found this bug.
(107739) /ruben unteregger <ruben.unteregger@era-it.ch>/(Ombruten)