Greetings. By now I'm sure that this issue is known by some or all people on this list. If not, here's the gist as reported on the bugtraq security mailing list[1]: Requests by an X client to use an abnormally large font cause the local X server to go, well, "bye bye". Originally thought to have something to do with xfs, it was later found to be the fault of libXfont (see forwarded message) which, IMHO, is Very Bad(tm).
Is there a patch for this? A workaround? Any X client that accepts outside (probably untrusted) input regarding font sizing becomes a hazard. :( Regards, kw. [1] http://online.securityfocus.com/archive/1/276120/2002-06-09/2002-06-15/0 ---------- Forwarded message ---------- | -----Original Message----- | From: Jakub Bogusz [mailto:[EMAIL PROTECTED]] | Sent: Tuesday, June 11, 2002 2:00 PM | To: [EMAIL PROTECTED] | Subject: Re: remote DoS in Mozilla 1.0 | | | On Tue, Jun 11, 2002 at 03:05:31PM +0200, Stijn Jonker wrote: | [...] | > What happens is that XFS consumes huge amounts of ram, and | finally bails | > out. So end of story for the fonts in X. As a result X is | practicly | > useless. | > | > I can only guess what happens when you don't use XFS but | Xserver based | > fontrendering, the X server consumes huge amounts of mem | and cpu and bails | > out => server crash => Bye Bye X. | > | > The solution(s): | > (a) Fix every app to disallow font sizes bigger then <maxvalue> | > (b) Fix XFS to return an error code to the calling application | > when requested font size is greater then configured <maxvalue> | | I think it's not XFS, but libXfont. | | Here's the end of strace before xfs dies: | | | open("/usr/share/fonts/Type1/ariam___-ISO-8859-2.pfb", | O_RDONLY) = 7 | | read(7, "\200\1\352\26\0\0%!PS-AdobeFont-1.0: Arial-"..., | 512) = 512 | [...] | | read(7, | "\375KlWqU\200\321\20\2274;\214k\207\222\357\7[Q0\235\213"... | , 512) = 512 | | close(7) = 0 | | old_mmap(NULL, 6311936, PROT_READ|PROT_WRITE, | MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x408d7000 | | old_mmap(NULL, 13180928, PROT_READ|PROT_WRITE, | MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40edc000 | | old_mmap(NULL, 31662080, PROT_READ|PROT_WRITE, | MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x41b6e000 | | old_mmap(NULL, 33607680, PROT_READ|PROT_WRITE, | MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x439a0000 | | old_mmap(NULL, 46592000, PROT_READ|PROT_WRITE, | MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x459ad000 | | write(2, "xfs error: ", 11) = -1 EBADF (Bad | file descriptor) | | write(2, "Beziers this big not yet support"..., 34) = -1 | EBADF (Bad file descriptor) | | rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0 | | getpid() = 21200 | | kill(21200, SIGABRT) = 0 | | --- SIGABRT (Aborted) --- | | In XFree86 (4.2.0) in xc/lib/font/Type1/curves.c about line | 219 there is: | | | struct segment * | | StepBezier(struct region *R, /* Region under construction | or NULL */ | [...] | | if ( TOOBIG(xB) || TOOBIG(yB) || TOOBIG(xC) || TOOBIG(yC) | | || TOOBIG(xD) || TOOBIG(yD) ) | | abort("Beziers this big not yet supported"); | | It isn't very good idea to abort() on wrong parameters in | shared library | function... | | | -- | Jakub Bogusz http://prioris.mini.pw.edu.pl/~qboosh/ | PLD Linux http://www.pld.org.pl/ | _______________________________________________ Xpert mailing list [EMAIL PROTECTED] http://XFree86.Org/mailman/listinfo/xpert
