lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3F1330DC.5040102@era-it.ch>
Date: Tue, 15 Jul 2003 00:38:20 +0200
From: ruben unteregger <ruben.unteregger@...-it.ch>
To: bugtraq@...urityfocus.com
Subject: xfstt-1.4 vulnerability


---------------------------------------------------------------
ERA IT Solutions  AG            http://www.era-it.ch

Security Advisory  -   xfstt-1.4 vulnerability   -   11/07/2003
---------------------------------------------------------------

1. Vulnerability description
2. Impact
3. Notification status
4. Exploit status
5. Contact

---------------------------------------------------------------


1. Vulnerability description

The X Fontserver for Truetype fonts 1.4 
(http://developer.berlios.de/projects/xfstt/
<http://freshmeat.net/redir/xfstt/11925/url_homepage/xfstt>) contains 
vulnerability
holes which can be initiated remotely.

In xfstt.cc:working() the switch(buf[0]) { ..  } statement is very 
insecurely
implemented. No boundary checks on any network-received buffers are done.
At least in two cases, namely FS_QueryXExtents8 and FS_QueryXBitmaps8, 
it is possible
to arrange a packet which sets 'req->num_ranges' to a very big number 
that causes an
array out of boundary access within the next for-loop. This bug leads to 
a segmentation
fault of the specific child and might even let an attacker execute 
arbitrary code.


2. Impact

It's yet unclear if this bug is exploitable or not. With a specially crafted
packet you can disable/DoS the daemon.


3. Notification status

The Author of xfstt (Guillem Jover) has been notified on May 28, 2003. 
There is no
patch available, though version 1.5 is soon to be released.


4. Exploit status

A proof-of-concept DoS exploit exists, albeit unreleased.


5. Contact

era@...-it.ch

---------------------------------------------------------------

Thanks to Jonathan Heusser who originally found this bug.




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ