Bugzilla – Bug 8001
cidafm() integer overflows
Last modified: 2006-09-13 15:48:29 UTC
i'm so very happy. no embargo date as yet. quoting idefense:
Local exploitation of an integer overflow vulnerability in the 'CIDAFM()'
function in the X.Org and XFree86 X server could allow an attacker to
+execute arbitrary code with privileges of the X server, typically root.
The vulnerability specifically exists in the 'CIDADM()' function of the code
responsible for handling AFM (Adobe Font Metrics) files. The number of character
metrics is obtained from the "StartCharMetrics" line of an AFM file and that
value is then multiplied by the size of a single character metric record in
order to calculate the space required to store the metrics. If the result of the
multiplication is larger than the largest value that can be held in an integer,
the amount actually allocated will be much smaller. Following this, the function
attempts to read as many metric records as were specified on the line into that
memory. As the contents of the file can be specified by a local user, and as the
function will stop reading if an error is detected in the input, a controlled
heap overflow may occur which may allow the execution of arbitrary code.
*** Bug 8005 has been marked as a duplicate of this bug. ***
This is CVE-2006-3739
Patches committed and advisory released.