| Summary: | PCF font parser vulnerability | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | xorg | Reporter: | Matthieu Herrb <matthieu.herrb> | ||||||||||
| Component: | Security | Assignee: | X.Org Security <xorg_security> | ||||||||||
| Status: | RESOLVED FIXED | QA Contact: | X.Org Security <xorg_security> | ||||||||||
| Severity: | normal | ||||||||||||
| Priority: | medium | CC: | alan.coopersmith, bressers, jcristau, sndirsch | ||||||||||
| Version: | 7.3 (2007.09) | ||||||||||||
| Hardware: | Other | ||||||||||||
| OS: | All | ||||||||||||
| Whiteboard: | |||||||||||||
| i915 platform: | i915 features: | ||||||||||||
| Attachments: |
|
||||||||||||
|
Description
Matthieu Herrb
2007-12-04 13:18:32 UTC
Created attachment 12946 [details]
cert vulnerability report
Created attachment 12947 [details]
POC PCF file
Any proposed fix for this yet? Are we planning on releasing on January 8 with the iDefense fixes? The original report contains some hints on how to fix that, but I haven't got to implement them yet. If possible yes, I'd like to release this on January 8, with the others fixes for the issues reported by iDefense. has a CVE id been assigned for this? Thanks, Julien (In reply to comment #5) > has a CVE id been assigned for this? > Not as far as I know. As there's no patch yet, I would suggest that this shouldn't be included in the mass unembargo tomorrow. (In reply to comment #7) > As there's no patch yet, I would suggest that this shouldn't be included in the > mass unembargo tomorrow. > The unembargo date has been postponed by one week. Are xorg_security@ messages stuck again? And yes, there's a patch for this, I just forgot to attach it here. Created attachment 13582 [details] [review] patch from Alan - xserver part Created attachment 13583 [details] [review] patch from Alan - libXfont part Does this issue have a CVE yet? (In reply to comment #11) > Does this issue have a CVE yet? > No. And I realized by re-checking my log for this bug that I never got any ack from CERT for the release date. So it will need to be separated from the other bugs. I've asked them again. We'd really prefer to do them all at once. And given that the patch in comment #9 looks like a unified patch for _all_ the outstanding issues, and that you seem to have attributed it to Alan, I suspect at least one other vendor wants them all done at once too. My security goons tell me we can get a CVE ID pretty quickly, let me know if you want us to take that up. We'd prefer one release for all too. And while I forwarded the patch to xorg_security, it was developed for us by Jeremy Uejio in our sustaining team. (In reply to comment #13) > We'd really prefer to do them all at once. And given that the patch in comment > #9 looks like a unified patch for _all_ the outstanding issues, and that you > seem to have attributed it to Alan, I suspect at least one other vendor wants > them all done at once too. > > My security goons tell me we can get a CVE ID pretty quickly, let me know if > you want us to take that up. > Yes. If it happens that US CERT also allocated one, this can be cleaned up before it goes public. But still don't have any anwer from them. (In reply to comment #13) > We'd really prefer to do them all at once. And given that the patch in comment > #9 looks like a unified patch for _all_ the outstanding issues, and that you > seem to have attributed it to Alan, I suspect at least one other vendor wants > them all done at once too. No, I goofed and sent the whole diff (including the iDefense problems) I have in my tree. The patch for this, prepared by Alan is only the dixfonts.c part... Matthieu, Use CVE-2008-0006 for this flaw. Mail CERT back, telling them this CVE id, and let them know what you plan to do. If we should release this with the various other pending security flaws, tell them that unless they tell you no, you assume their silence is agreement. There's no sense in holding up a release due to a negligent reporting organization. It may make sense to push the embargo out a few days though to give others more time to test this fix. (In reply to comment #17) > Matthieu, > > Use CVE-2008-0006 for this flaw. > > Mail CERT back, telling them this CVE id, and let them know what you plan to > do. If we should release this with the various other pending security flaws, > tell them that unless they tell you no, you assume their silence is agreement. > There's no sense in holding up a release due to a negligent reporting > organization. > > It may make sense to push the embargo out a few days though to give others more > time to test this fix. > I've sent email to CERT telling we're making the bug public on Thursday, unless they answer before tuesday. (In reply to comment #18) > (In reply to comment #17) > > Matthieu, > > > > Use CVE-2008-0006 for this flaw. > > > > Mail CERT back, telling them this CVE id, and let them know what you plan to > > do. If we should release this with the various other pending security flaws, > > tell them that unless they tell you no, you assume their silence is agreement. > > There's no sense in holding up a release due to a negligent reporting > > organization. > > > > It may make sense to push the embargo out a few days though to give others more > > time to test this fix. > > > > I've sent email to CERT telling we're making the bug public on Thursday, unless > they answer before tuesday. > Still no answer from CERT, so lets move forward. Patch has been committed to xserver: 8e133d96740d010a4fd969a8188e6e71fb2cafe2 and libXfont: b76df66d2c507898472bba0f9986ef5700029a36. Ant this is public now. In regards to the libXfont part patch as applied above. I noticed that pmfReadFont() has _almost_ identical code as the pcfReadFont(), except of course the "security fix" is not being applied there. (See line ~931 in the libXfont-1.3.3 source of src/bitmap/pcfread.c) I don't know what pmf is and failed to find sufficient information to figure this out myself. So my question is: Should pmfReadFont() also be patched in the same (or similar) way as pcfReadFont()? (In reply to comment #21) > In regards to the libXfont part patch as applied above. > > I noticed that pmfReadFont() has _almost_ identical code as the pcfReadFont(), > except of course the "security fix" is not being applied there. (See line ~931 > in the libXfont-1.3.3 source of src/bitmap/pcfread.c) > > I don't know what pmf is and failed to find sufficient information to figure > this out myself. It's the font format use by the Xprint server. So if vulnerable, the impact is lower. Xprint should not run privileged and afaik there's not way to make the regular X server use pmf fonts. > So my question is: Should pmfReadFont() also be patched in the same (or > similar) way as pcfReadFont()? Probably, yes. I'll have a deeper look... |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.