Created attachment 1365 [details] [review]
proposed patch

The patch check for "-fp" as argument and skips the length check for "-fp" and
the next argument and continues with the check of the argument for unprintable
characters

Nice catch (I remember that Sun staff hit the same problem a while ago but I
don't know whether they made a patch to cure the problem) :)

/cvs/xorg/xc/ChangeLog,v  <--  ChangeLog
new revision: 1.544; previous revision: 1.543
/cvs/xorg/xc/programs/Xserver/os/utils.c,v  <--  utils.c
new revision: 1.10; previous revision: 1.11

fixed in HEAD

/cvs/xorg/xc/ChangeLog,v  <--  ChangeLog
new revision: 1.369.2.4; previous revision: 1.369.2.3
/cvs/xorg/xc/programs/Xserver/os/utils.c,v  <--  utils.c
new revision: 1.1.4.3.2.5; previous revision: 1.1.4.3.2.4

fixed in CYGWIN

Yes, we hit this when setting up our VSW5 scripts to run with Xorg, but we
didn't patch it, just changed the scripts to put the font path settings in
xorg.conf instead of passing them on the command line.

I wonder if this may create a security problem.
Doing away with the test means that one can pass an arbitrarily long argument to
-fp.
There must have been a reason that we were so restrictive on the argument length.

the pointer to the -fp argument is directly assigned to defaultFontPath which is
handled in dix/dixfonts.c(SetDefaultFontPath). the code there can handle strings
of arbitrary length. The result is the fontpath string splitted on "," which
passed on to SetFontPathElements. If there are size restrictions later on then
it could be exploited with xset -fp too.

Comment on attachment 1365 [details] [review]
proposed patch

Approval for X11R6.8.x stable branch DENIED in the 2004-12-13 release-wranglers
phone call as the possible security side-effects need to be figured-out first
(e.g. all consumers of this code need to be audited for security issues).