oss-sec mailing list archives
Re: Fwd: [ANNOUNCE] X.Org Security Advisory: More BDF file parsing issues in libXfont
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Tue, 17 Mar 2015 08:56:24 -0700
On 03/17/15 08:18 AM, Sven Schwedas wrote:
On 2015-03-17 16:11, Alan Coopersmith wrote:As libXfont is used by the X server to read font files, and an unprivileged user with access to the X server can tell the X server to read a given font file from a path of their choosing, these vulnerabilities have the potentialCan this be exploited by any current browser's web fonts implementation, or will this require local access? (Loading fonts from user-writeable ~/.fonts seems to be enabled by default.)
I am not aware of any current browser which meets any of these criteria, much less all of them: - supports the ancient BDF bitmap font format in its webfonts, instead of scalable font formats such as OpenType, TrueType, or Postscript Type 1. - uses the old X server-side font technology instead of rendering on the client side, where it can do complex text layout & antialiasing - downloads a BDF font from a website, stores to a local directory, runs mkfontdir in that directory, and adds it to the X font path. The primary exploit path X.Org is aware of these would be a local user who can login to an X session already, running "xset +fp" to add a directory under their control to the font path of that X server in order to execute code with the privileges of the X server (often root). -- -Alan Coopersmith- alan.coopersmith () oracle com X.Org Security Response Team - xorg-security () lists x org
Current thread:
- Fwd: [ANNOUNCE] X.Org Security Advisory: More BDF file parsing issues in libXfont Alan Coopersmith (Mar 17)
- Re: Fwd: [ANNOUNCE] X.Org Security Advisory: More BDF file parsing issues in libXfont Sven Schwedas (Mar 17)
- Re: Fwd: [ANNOUNCE] X.Org Security Advisory: More BDF file parsing issues in libXfont Alan Coopersmith (Mar 17)
- Re: Fwd: [ANNOUNCE] X.Org Security Advisory: More BDF file parsing issues in libXfont Sven Schwedas (Mar 17)