Your message dated Thu, 19 Feb 2004 21:07:51 -0500 with message-id <[EMAIL PROTECTED]> and subject line Bug#232378: xfree86: XFree86 local expoitable buffer overflow (SECURITY) has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 12 Feb 2004 11:39:43 +0000 >From [EMAIL PROTECTED] Thu Feb 12 03:39:43 2004 Return-path: <[EMAIL PROTECTED]> Received: from down.physik.fu-berlin.de [160.45.34.6] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1ArFC3-0006b6-00; Thu, 12 Feb 2004 03:39:43 -0800 Received: from g35.physik.fu-berlin.de (g35.physik.fu-berlin.de [160.45.34.135]) by down.physik.fu-berlin.de (8.11.1/8.9.1) with ESMTP id i1CBdeo1235806; Thu, 12 Feb 2004 12:39:40 +0100 (CET) X-Envelope-From: [EMAIL PROTECTED] X-ZEDV-BeenThere: nukleon Received: from tburnus by g35.physik.fu-berlin.de with local (Exim 3.36 #1 (Debian)) id 1ArFC2-0005aA-00; Thu, 12 Feb 2004 12:39:42 +0100 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Tobias Burnus <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Subject: xfree86: XFree86 local expoitable buffer overflow (SECURITY) X-Mailer: reportbug 2.39 Date: Thu, 12 Feb 2004 12:39:42 +0100 Message-Id: <[EMAIL PROTECTED]> Sender: Tobias Burnus <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_02_10 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-5.0 required=4.0 tests=HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2004_02_10 X-Spam-Level: Package: xfree86 Severity: serious See http://www.idefense.com/application/poi/display?id=72&type=vulnerabilities&flashstatus=false and existing exploit in http://www.securityfocus.com/archive/1/353493/2004-02-09/2004-02-15/0 the patch is available from ftp://ftp.xfree86.org/pub/XFree86/4.3.0/fixes/fontfile.diff Affected is both Woody and Sarge/Unstable. Description: Exploitation of a buffer overflow in The XFree86 Project Inc.'s XFree86 X Window System allows local attackers to gain root privileges. The problem specifically exists in the parsing of the 'font.alias' file. The X server (running as root) fails to check the length of user provided input. A malicious user may craft a malformed 'font.alias' file causing a buffer overflow upon parsing, eventually leading to the execution of arbitrary code. Successful exploitation requires that an attacker be able to execute commands in the X11 subsystem. This can be done either by having console access to the target or through a remote exploit against any X client program such as a web-browser, mail-reader or game. Successful exploitation yields root access. -- System Information: Debian Release: testing/unstable Architecture: i386 Kernel: Linux g35 2.4.24-nfsacl-libata-drbd-up #1 Mon Jan 5 22:37:02 CET 2004 i686 Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 --------------------------------------- Received: (at 232378-done) by bugs.debian.org; 20 Feb 2004 02:07:52 +0000 >From [EMAIL PROTECTED] Thu Feb 19 18:07:52 2004 Return-path: <[EMAIL PROTECTED]> Received: from dhcp065-026-182-085.indy.rr.com (redwald.deadbeast.net) [65.26.182.85] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1Au052-0006lM-00; Thu, 19 Feb 2004 18:07:52 -0800 Received: by redwald.deadbeast.net (Postfix, from userid 1000) id 3536B640CA; Thu, 19 Feb 2004 21:07:51 -0500 (EST) Date: Thu, 19 Feb 2004 21:07:51 -0500 From: Branden Robinson <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: Bug#232378: xfree86: XFree86 local expoitable buffer overflow (SECURITY) Message-ID: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="/aVve/J9H4Wl5yVO" Content-Disposition: inline In-Reply-To: <[EMAIL PROTECTED]> Mail-Copies-To: nobody X-No-CC: I subscribe to this list; do not CC me on replies. User-Agent: Mutt/1.5.5.1+cvs20040105i Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_02_18 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-3.0 required=4.0 tests=HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2004_02_18 X-Spam-Level: --/aVve/J9H4Wl5yVO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 12, 2004 at 12:39:42PM +0100, Tobias Burnus wrote: > Package: xfree86 > Severity: serious >=20 > See > http://www.idefense.com/application/poi/display?id=3D72&type=3Dvulnerabil= ities&flashstatus=3Dfalse > and existing exploit in > http://www.securityfocus.com/archive/1/353493/2004-02-09/2004-02-15/0 >=20 > the patch is available from > ftp://ftp.xfree86.org/pub/XFree86/4.3.0/fixes/fontfile.diff >=20 > Affected is both Woody and Sarge/Unstable. >=20 > Description: > Exploitation of a buffer overflow in The XFree86 Project Inc.'s XFree86 > X Window System allows local attackers to gain root privileges. >=20 > The problem specifically exists in the parsing of the 'font.alias' file. > The X server (running as root) fails to check the length of user > provided input. A malicious user may craft a malformed 'font.alias' > file causing a buffer overflow upon parsing, eventually leading to the > execution of arbitrary code. >=20 > Successful exploitation requires that an attacker be able to execute > commands in the X11 subsystem. This can be done either by having console > access to the target or through a remote exploit against any X client > program such as a web-browser, mail-reader or game. Successful > exploitation yields root access. This was fixed in 4.3.0-2, which was accepted into Debian unstable on 18 February. xfree86 (4.3.0-1) experimental; urgency=3Dlow * Grab fixes to upstream CVS xf-4_3-branch since last pull. [...] + (xc/lib/font/fontfile/dirfile.c): Fix font alias overrun. [SECURITY FIX] (CAN-2004-0083) [...] + (xc/lib/font/fontfile/dirfile.c, xc/lib/font/fontfile/encparse.c, xc/lib/font/fontfile/fontfile.c): 1013. Some more font path checks. [...] -- Branden Robinson <[EMAIL PROTECTED]> Tue, 17 Feb 2004 12:58:28 -0500 XFree86 4.1.0-16woody3, which fixes these issues for Debian 3.0 ("woody") has been in the hands of the security team for several days, and will be released when the build infrastructure finishes compiling it for all of the architectures supported in woody. Thank you again for your report. Closing. --=20 G. Branden Robinson | Somebody once asked me if I thought Debian GNU/Linux | sex was dirty. I said, "It is if [EMAIL PROTECTED] | you're doing it right." http://people.debian.org/~branden/ | -- Woody Allen --/aVve/J9H4Wl5yVO Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iEYEARECAAYFAkA1a/YACgkQ6kxmHytGonwNtACgq45w4i17sREhBOtZA35e/T1e NjEAn0ZRmETTiIwweeuzeI5t6SesBR+N =XO+C -----END PGP SIGNATURE----- --/aVve/J9H4Wl5yVO--