According to X.org advisory, BDF font file containing a longer than expected string could overflow the buffer on the stack. Testing in X servers built with Stack Protector resulted in an immediate crash when reading a user-provided specially crafted font.
The vulnerability exists in the "lib/libXfont/src/bitmap/bdfread.c". The libXfont is used to read user-specified font files in all X servers.
Vulnerable Code:As you can see in the above code that the 'charName' variable is declared with length of 100 bytes, it can store a string consisting of up to 100 characters.
char charName[100];
int ignore;
if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) {
bdfError("bad character name in BDF file\n");
goto BAILOUT; /* bottom of function, free and return error */
}
Sscanf function fails to validate the number of characters getting from the input. So, an attacker can pass more than 100 characters that leads to stack buffer overflow.
A successful exploitation allows attacker to run his own code in the system. Since Xorg server is usually run with root privilege, an attacker is able to run the code with root privileges.
The bug is fixed by limiting the number of characters getting from the user.
if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) {
Canonical has provided a security fix for the Ubuntu Distro. To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
