Bug 13373 - libxfont new security issues CVE-2014-0209, CVE-2014-0210, CVE-2014-0211
: libxfont new security issues CVE-2014-0209, CVE-2014-0210, CVE-2014-0211
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/598578/
: MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-05-13 17:50 CEST by David Walser
Modified: 2014-07-04 20:52 CEST (History)
5 users (show)

See Also:
Source RPM: libxfont-1.4.8-1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-05-13 17:50:02 CEST
Multiple security issues in libxfont were announced today (May 13):
http://seclists.org/oss-sec/2014/q2/302

They will be fixed upstream in version 1.4.8.

Mageia 3 and Mageia 4 are also affected.

As far as backporting fixes, only CVE-2014-0209 sounds important (heap overflow).  The other two issues depend on xfs, which we stopped using several years ago (thankfully).

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-05-14 18:54:43 CEST
Debian and Ubuntu have issued advisories for this on May 13 and May 14:
https://www.debian.org/security/2014/dsa-2927
http://www.ubuntu.com/usn/usn-2211-1/

Thierry, Ubuntu says that as of Ubuntu 14.04 they've used the --disable-fc configure option in libxfont to explicitly disable support for xfs (which also eliminates the CVE-2014-021[01] vulnerabilities).  Should we do the same?
Comment 3 David Walser 2014-06-24 00:27:08 CEST
With a patch from upstream via omdv, it builds now in Cauldron.
Comment 4 David Walser 2014-06-24 00:48:52 CEST
I did a second build in Cauldron, disabling xfs support.  I left it alone in mga3/mga4 for now.

Patched packages uploaded for Mageia 3 and Mageia 4.

Advisory:
========================

Updated libxfont packages fix security vulnerabilities:

Ilja van Sprundel discovered that libXfont incorrectly handled font
metadata file parsing. A local attacker could use this issue to cause
libXfont to crash, or possibly execute arbitrary code in order to gain
privileges (CVE-2014-0209).

Ilja van Sprundel discovered that libXfont incorrectly handled X Font
Server replies. A malicious font server could return specially-crafted data
that could cause libXfont to crash, or possibly execute arbitrary code
(CVE-2014-0210, CVE-2014-0211).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0209
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0210
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0211
http://www.ubuntu.com/usn/usn-2211-1/
========================

Updated packages in core/updates_testing:
========================
libxfont1-1.4.5-3.2.mga3
libxfont1-devel-1.4.5-3.2.mga3
libxfont1-static-devel-1.4.5-3.2.mga3
libxfont1-1.4.7-1.1.mga4
libxfont-devel-1.4.7-1.1.mga4

from SRPMS:
libxfont-1.4.5-3.2.mga3.src.rpm
libxfont-1.4.7-1.1.mga4.src.rpm
Comment 5 Lewis Smith 2014-06-24 22:13:14 CEST
Testing MGA4 64-bit real hardware

Updated to lib64xfont1-1.4.7-1.1.mga4 OK.
How do I know whether the library is being used? Just a bit of normal usage?
Comment 6 David Walser 2014-06-24 22:23:32 CEST
My understanding is that different types of fonts are handled by different libraries.  Certainly you'll need to restart the X server (log out and restart the X server from the DM) for the updated library to start being used.  I guess try using several different types of fonts in some applications (like LibreOffice Writer) and make sure things generally seem the same.
Comment 7 David Walser 2014-06-25 17:00:20 CEST
More info on this.  Only CVE-2014-0209 is really important here IMO.

From http://lists.x.org/archives/xorg-announce/2014-May/002431.html:
    When a local user who is already authenticated to the X server adds
    a new directory to the font path, the X server calls libXfont to open
    the fonts.dir and fonts.alias files in that directory and add entries
    to the font tables for every line in it.  A large file (~2-4 gb) could
    cause the allocations to overflow, and allow the remaining data read 
    from the file to overwrite other memory in the heap.

These pages shows how to add directories to the font path at runtime:
http://www.freebsd.org/doc/handbook/x-fonts.html
http://www.x.org/archive/X11R6.8.0/doc/fonts2.html


Speaking of which, we should add the upstream advisory to the References:
http://lists.x.org/archives/xorg-announce/2014-May/002431.html
Comment 8 Lewis Smith 2014-06-26 20:24:54 CEST
Testing MGA4 64-bit real hardware

Added a font directory & copied a few existing fonts into it. Did
$ mkfontscale <fontdir>
$ mkfontdir <fontdir>
which created fonts.dir & fonts.scale .
$ xset fp+ <fontdir>
$ xset q
correctly added this fontdir to the pathlist:
Font Path:
  catalogue:/etc/X11/fontpath.d,built-ins,/home/lewis/.fonts
Confused about the difference between:
- Configuring Xft [fontconfig]
- Configuring the core X11 fonts system
and things mentioned in http://www.x.org/archive/X11R6.8.0/doc/fonts2.html which I could not find: specific sections in specific config files.

Without anything nasty happening, I'm OKing this.
Comment 9 David Walser 2014-06-26 20:31:54 CEST
(In reply to Lewis Smith from comment #8)
> Confused about the difference between:
> - Configuring Xft [fontconfig]
> - Configuring the core X11 fonts system
> and things mentioned in http://www.x.org/archive/X11R6.8.0/doc/fonts2.html
> which I could not find: specific sections in specific config files.

So I think what's relevant here is the core X11 fonts, as Xft/fontconfig should use different libraries.

> Without anything nasty happening, I'm OKing this.

Nice job.  Thanks.
Comment 10 Marc Lattemann 2014-06-29 23:34:40 CEST
testing on MGA4 32bit the same procedure as Lewis did in Comment #8.

Font Path:
  catalogue:/etc/X11/fontpath.d,built-ins,/home/marc/fonts/

Citing Lewis: nothing nasty happened.
Comment 11 Marc Lattemann 2014-06-30 00:00:21 CEST
tested the same way for MGA3 32bit and 64bit. Everything is fine as described above.
For me this update can be validated if those tests are sufficient.
Comment 12 Rémi Verschelde 2014-07-02 22:13:31 CEST
Validating update, advisory uploaded.

Please push libxfont to Mageia 3 and 4 core/updates.
Comment 13 Thomas Backlund 2014-07-04 20:52:26 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2014-0278.html

Note You need to log in before you can comment on or make changes to this bug.