Bug 13373 - libxfont new security issues CVE-2014-0209, CVE-2014-0210, CVE-2014-0211
Summary: libxfont new security issues CVE-2014-0209, CVE-2014-0210, CVE-2014-0211
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/598578/
Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-05-13 17:50 CEST by David Walser
Modified: 2014-07-04 20:52 CEST (History)
5 users (show)

See Also:
Source RPM: libxfont-1.4.8-1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-05-13 17:50:02 CEST 
Multiple security issues in libxfont were announced today (May 13):
http://seclists.org/oss-sec/2014/q2/302

They will be fixed upstream in version 1.4.8.

Mageia 3 and Mageia 4 are also affected.

As far as backporting fixes, only CVE-2014-0209 sounds important (heap overflow).  The other two issues depend on xfs, which we stopped using several years ago (thankfully).

Reproducible: 

Steps to Reproduce:
David Walser 2014-05-13 17:50:17 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-05-14 18:54:43 CEST 
Debian and Ubuntu have issued advisories for this on May 13 and May 14:
https://www.debian.org/security/2014/dsa-2927
http://www.ubuntu.com/usn/usn-2211-1/

Thierry, Ubuntu says that as of Ubuntu 14.04 they've used the --disable-fc configure option in libxfont to explicitly disable support for xfs (which also eliminates the CVE-2014-021[01] vulnerabilities).  Should we do the same?

URL: (none) => http://lwn.net/Vulnerabilities/598578/

Comment 2 David Walser 2014-05-20 22:02:31 CEST 
I built 1.4.8 locally, but the build failed in Cauldron:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20140520195850.luigiwalser.valstar.10808/log/libxfont-1.4.8-1.mga5/build.0.20140520195901.log

Version: Cauldron => 4
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

David Walser 2014-05-20 22:02:42 CEST

Version: 4 => Cauldron
Whiteboard: MGA3TOO => MGA4TOO, MGA3TOO

Comment 3 David Walser 2014-06-24 00:27:08 CEST 
With a patch from upstream via omdv, it builds now in Cauldron.

Version: Cauldron => 4

Comment 4 David Walser 2014-06-24 00:48:52 CEST 
I did a second build in Cauldron, disabling xfs support.  I left it alone in mga3/mga4 for now.

Patched packages uploaded for Mageia 3 and Mageia 4.

Advisory:
========================

Updated libxfont packages fix security vulnerabilities:

Ilja van Sprundel discovered that libXfont incorrectly handled font
metadata file parsing. A local attacker could use this issue to cause
libXfont to crash, or possibly execute arbitrary code in order to gain
privileges (CVE-2014-0209).

Ilja van Sprundel discovered that libXfont incorrectly handled X Font
Server replies. A malicious font server could return specially-crafted data
that could cause libXfont to crash, or possibly execute arbitrary code
(CVE-2014-0210, CVE-2014-0211).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0209
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0210
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0211
http://www.ubuntu.com/usn/usn-2211-1/
========================

Updated packages in core/updates_testing:
========================
libxfont1-1.4.5-3.2.mga3
libxfont1-devel-1.4.5-3.2.mga3
libxfont1-static-devel-1.4.5-3.2.mga3
libxfont1-1.4.7-1.1.mga4
libxfont-devel-1.4.7-1.1.mga4

from SRPMS:
libxfont-1.4.5-3.2.mga3.src.rpm
libxfont-1.4.7-1.1.mga4.src.rpm

CC: (none) => thierry.vignaud
Assignee: thierry.vignaud => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Severity: normal => major

Comment 5 Lewis Smith 2014-06-24 22:13:14 CEST 
Testing MGA4 64-bit real hardware

Updated to lib64xfont1-1.4.7-1.1.mga4 OK.
How do I know whether the library is being used? Just a bit of normal usage?

CC: (none) => lewyssmith

Comment 6 David Walser 2014-06-24 22:23:32 CEST 
My understanding is that different types of fonts are handled by different libraries.  Certainly you'll need to restart the X server (log out and restart the X server from the DM) for the updated library to start being used.  I guess try using several different types of fonts in some applications (like LibreOffice Writer) and make sure things generally seem the same.
Comment 7 David Walser 2014-06-25 17:00:20 CEST 
More info on this.  Only CVE-2014-0209 is really important here IMO.

From http://lists.x.org/archives/xorg-announce/2014-May/002431.html:
    When a local user who is already authenticated to the X server adds
    a new directory to the font path, the X server calls libXfont to open
    the fonts.dir and fonts.alias files in that directory and add entries
    to the font tables for every line in it.  A large file (~2-4 gb) could
    cause the allocations to overflow, and allow the remaining data read 
    from the file to overwrite other memory in the heap.

These pages shows how to add directories to the font path at runtime:
http://www.freebsd.org/doc/handbook/x-fonts.html
http://www.x.org/archive/X11R6.8.0/doc/fonts2.html


Speaking of which, we should add the upstream advisory to the References:
http://lists.x.org/archives/xorg-announce/2014-May/002431.html
Comment 8 Lewis Smith 2014-06-26 20:24:54 CEST 
Testing MGA4 64-bit real hardware

Added a font directory & copied a few existing fonts into it. Did
$ mkfontscale <fontdir>
$ mkfontdir <fontdir>
which created fonts.dir & fonts.scale .
$ xset fp+ <fontdir>
$ xset q
correctly added this fontdir to the pathlist:
Font Path:
  catalogue:/etc/X11/fontpath.d,built-ins,/home/lewis/.fonts
Confused about the difference between:
- Configuring Xft [fontconfig]
- Configuring the core X11 fonts system
and things mentioned in http://www.x.org/archive/X11R6.8.0/doc/fonts2.html which I could not find: specific sections in specific config files.

Without anything nasty happening, I'm OKing this.

Whiteboard: MGA3TOO => MGA3TOO MGA4-64-OK

Comment 9 David Walser 2014-06-26 20:31:54 CEST 
(In reply to Lewis Smith from comment #8)
> Confused about the difference between:
> - Configuring Xft [fontconfig]
> - Configuring the core X11 fonts system
> and things mentioned in http://www.x.org/archive/X11R6.8.0/doc/fonts2.html
> which I could not find: specific sections in specific config files.

So I think what's relevant here is the core X11 fonts, as Xft/fontconfig should use different libraries.

> Without anything nasty happening, I'm OKing this.

Nice job.  Thanks.
Comment 10 Marc Lattemann 2014-06-29 23:34:40 CEST 
testing on MGA4 32bit the same procedure as Lewis did in Comment #8.

Font Path:
  catalogue:/etc/X11/fontpath.d,built-ins,/home/marc/fonts/

Citing Lewis: nothing nasty happened.

Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO MGA4-64-OK MGA4-64-OK

David Walser 2014-06-29 23:47:32 CEST

Whiteboard: MGA3TOO MGA4-64-OK MGA4-64-OK => MGA3TOO MGA4-64-OK MGA4-32-OK

Comment 11 Marc Lattemann 2014-06-30 00:00:21 CEST 
tested the same way for MGA3 32bit and 64bit. Everything is fine as described above.
For me this update can be validated if those tests are sufficient.

CC: (none) => marc.lattemann

Marc Lattemann 2014-06-30 00:01:14 CEST

CC: marc.lattemann => (none)
Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK => MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK

Comment 12 Rémi Verschelde 2014-07-02 22:13:31 CEST 
Validating update, advisory uploaded.

Please push libxfont to Mageia 3 and 4 core/updates.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK => MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 13 Thomas Backlund 2014-07-04 20:52:26 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0278.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.