SUSE Security Announcement: xf86/XFree86 (SuSE-SA:2004:006)
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SUSE Security Announcement
Package: xf86/XFree86
Announcement-ID: SuSE-SA:2004:006
Date: Monday, Feb. 23th 2004 16:30 MET
Affected products: 8.0, 8.1, 8.2, 9.0
SuSE Linux Database Server,
SuSE eMail Server III, 3.1
SuSE Linux Enterprise Server 7, 8
SuSE Linux Firewall on CD/Admin host
SuSE Linux Connectivity Server
SuSE Linux Office Server
Vulnerability Type: local privilege escalation
Severity (1-10): 5
SUSE default package: yes
Cross References: CAN-2004-0083
CAN-2004-0084
CAN-2004-0106
Content of this advisory:
1) security vulnerability resolved:
- several local buffer overflows in fontfile code
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds:
- mutt
- mod_python
- mailman
- metamail
- libxml2
- lbreakout
- pwlib
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
XFree86 is an open-source X Window System implementation that acts
as a client-server-based API between different hardware components
like display, mouse, keyboard and so on.
Several buffer overflows were found in the fontfile code that handles
a user-supplied "fonts.alias" file. The file is processed with root
privileges and therefore a successful exploitation of these bugs leads
to local root access.
There is no known workaround.
Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, to apply the update use the command "rpm -Fhv file.rpm".
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.
Intel i386 Platform:
SuSE-9.0:
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/XFree86-4.3.0.1-46.i586.rpm
dcaadc2b9438995c9a3ac6e4fc7bf181
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/XFree86-4.3.0.1-46.i586.patch.rpm
f094861c9a0fbb5f27d168b680fe1a5b
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/XFree86-4.3.0.1-46.src.rpm
824c6173693342a033f75c503592e7e0
SuSE-8.2:
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/XFree86-4.3.0-120.i586.rpm
f1f01280e6e8a5a2f091a04c5836a51d
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/XFree86-4.3.0-120.i586.patch.rpm
16ba90ef0ad607d1547cda7734b28750
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/XFree86-4.3.0-120.src.rpm
4100735436d4c8801c6add673fceb29e
SuSE-8.1:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/xf86-4.2.0-257.i586.rpm
9ed1fc5ec83a42a85315391387610e6b
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/xf86-4.2.0-257.i586.patch.rpm
9652732385f8670ea9d36151378b7428
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/xf86-4.2.0-257.src.rpm
e1d73191d2aabe3a6dda677e6fd716bc
SuSE-8.0:
ftp://ftp.suse.com/pub/suse/i386/update/8.0/x1/xf86-4.2.0-257.i386.rpm
9b69aac017a0ac9905e3fc4e9594d435
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/x1/xf86-4.2.0-257.i386.patch.rpm
3076136bcdf20132f343768e4a71c7a2
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/xf86-4.2.0-257.src.rpm
1775eef155f4afdc9a3a08ff31a38607
Opteron x86_64 Platform:
SuSE-9.0:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/XFree86-4.3.0.1-52.x86_64.rpm
1714cb2eb566fab0e29277db9f9d2572
patch rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/XFree86-4.3.0.1-52.x86_64.patch.rpm
930944efc868b28d87a69a9543206546
source rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/XFree86-4.3.0.1-52.src.rpm
ee67773fcad341912b617d397991ed32
______________________________________________________________________________
2) Pending vulnerabilities in SUSE Distributions and Workarounds:
- mutt
The popular email client mutt is vulnerable to a remote denial-of-service
attack and maybe remote command execution. The bug can be triggered by
malformed messages that overflow an internal buffer.
New packages are available on our FTP servers..
- mod_python
A remote denial-of-service attack can be triggered against the Apache
web server by sending a specific query string that is processed by
mod_python.
New packages will be available soon.
- mutt
The popular email client mutt is vulnerable to a remote denial-of-service
attack and maybe remote command execution. The bug can be triggered by
malformed messages that overflow an internal buffer.
New packages are available on our FTP servers..
- mailman
A remote denial-of-service attack can be triggered in mailman 2.0.x
(CAN-2003-0991).
New packages will be available soon.
- metamail
This update fixes two buffer overflows and two format string bugs
that can be exploited remotely in conjunction with other tools
to gain access to a system with the privileges of the user running
New packages will be available soon.
- libxml2
A buffer overflow in the URI parsing cde is fixed. This bug can
lead to remote access to a system using libxml2.
New packages will be available soon.
- lbreakout
A buffer overflow in lbreakout can be exploited locally to gain
access to group 'game'. This just affects SuSE Linux 8.1.
New packages will be available soon.
- pwlib
This update addresses several security vulnerabilities that
may be exploited remotely via applications that link with
pwlib, like GnomeMeeting or alike.
New packages will be available soon.
______________________________________________________________________________
3) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SUSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum
Hi, Thomas Biege wrote:
SUSE Security Announcement
Package: xf86/XFree86 Announcement-ID: SuSE-SA:2004:006
having installed the update on SuSE 8.0, X still crashes using the method from http://www.idefense.com/application/poi/display?id=72&type=vulnerabilities&flashstatus=false Should that happen? cu, Frank ############# watson /root/tmp# rpm -q --changelog xf86 | head -n 5 * Thu Feb 12 2004 - thomas@suse.de - fixed more buffer overflows in fontfile/ direc (#34296) - put together old and new bugs in fontfile-sec_bufferoverflows.diff # having the fonts.alias and fonts.dir in tmp/: watson /root/tmp# X :0 -fp $PWD XFree86 Version 4.2.0 / X Window System (protocol Version 11, revision 0, vendor release 6600) Release Date: 18 January 2002 If the server is older than 6-12 months, or if your card is newer than the above date, look for a newer version before reporting problems. (See http://www.XFree86.Org/) Build Operating System: SuSE Linux [ELF] SuSE Module Loader present Markers: (--) probed, (**) from config file, (==) default setting, (++) from command line, (!!) notice, (II) informational, (WW) warning, (EE) error, (NI) not implemented, (??) unknown. (==) Log file: "/var/log/XFree86.0.log", Time: Tue Feb 24 10:10:34 2004 (==) Using config file: "/etc/X11/XF86Config" Fatal server error: Caught signal 4. Server aborting When reporting a problem related to a server crash, please send the full server output, not just the last messages. This can be found in the log file "/var/log/XFree86.0.log". Please report problems to feedback@suse.de. ############## cu, Frank -- Dipl.-Inform. Frank Steiner Mail: fst_at_bio.informatik.uni-muenchen.de Lehrstuhl f. Bioinformatik Phone: +49 89 2180-4049, Fax: -4054 LMU, Amalienstr. 17 http://www.informatik.uni-kiel.de/~fst/ 80333 Muenchen, Germany * Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *
On Tue, 24 Feb 2004, Frank Steiner wrote:
Hi,
Hi.
Thomas Biege wrote:
SUSE Security Announcement
Package: xf86/XFree86 Announcement-ID: SuSE-SA:2004:006
having installed the update on SuSE 8.0, X still crashes using the method from http://www.idefense.com/application/poi/display?id=72&type=vulnerabilities&flashstatus=false
Should that happen?
cu, Frank
############# watson /root/tmp# rpm -q --changelog xf86 | head -n 5
Does this even happen as non-root user?
* Thu Feb 12 2004 - thomas@suse.de
- fixed more buffer overflows in fontfile/ direc (#34296) - put together old and new bugs in fontfile-sec_bufferoverflows.diff
# having the fonts.alias and fonts.dir in tmp/: watson /root/tmp# X :0 -fp $PWD
XFree86 Version 4.2.0 / X Window System (protocol Version 11, revision 0, vendor release 6600) Release Date: 18 January 2002 If the server is older than 6-12 months, or if your card is newer than the above date, look for a newer version before reporting problems. (See http://www.XFree86.Org/) Build Operating System: SuSE Linux [ELF] SuSE Module Loader present Markers: (--) probed, (**) from config file, (==) default setting, (++) from command line, (!!) notice, (II) informational, (WW) warning, (EE) error, (NI) not implemented, (??) unknown. (==) Log file: "/var/log/XFree86.0.log", Time: Tue Feb 24 10:10:34 2004 (==) Using config file: "/etc/X11/XF86Config"
Fatal server error: Caught signal 4. Server aborting
The original bug triggered a SIGSEGV (11) this one is a SIGILL (4).
Maybe it triggered just another bug. I'll verify the sources...
Bye,
Thomas
--
Thomas Biege
Hi.
having installed the update on SuSE 8.0, X still crashes using the method from http://www.idefense.com/application/poi/display?id=72&type=vulnerabilities&flashstatus=false
Should that happen?
Hm, did you restart the X server?
Bye,
Thomas
--
Thomas Biege
Hi, Thomas Biege wrote:
Hm, did you restart the X server?
Yes, even rebooted the PC to avoid any caching effect.
Does this even happen as non-root user?
yes, same effect.
Fatal server error: Caught signal 4. Server aborting
The original bug triggered a SIGSEGV (11) this one is a SIGILL (4). Maybe it triggered just another bug. I'll verify the sources...
Actually, rebooting the PC changed the signal to 11 again... It also happens on our SuSE 9.0 PCs with the updated XFree86 (as root and as any other user). And the signal is indeed caused by the font files: riemann /root# rpm -q --changelog XFree86 |head -n 5 * Thu Feb 12 2004 - thomas@suse.de - fixed more buffer overflows in fontfile/ direc (#34296) - put together old and new bugs in fontfile-sec_bufferoverflows.diff riemann /root/tmp# strace -f X :0 -fp $PWD : : open("/root/tmp/fonts.dir", O_RDONLY) = 7 fstat64(7, {st_mode=S_IFREG|0644, st_size=75, ...}) = 0 fstat64(7, {st_mode=S_IFREG|0644, st_size=75, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40022000 read(7, "1\nword.bdf -misc-fixed-medium-r-"..., 4096) = 75 read(7, "", 4096) = 0 read(7, "", 4096) = 0 close(7) = 0 munmap(0x40022000, 4096) = 0 open("/root/tmp/fonts.alias", O_RDONLY) = 7 fstat64(7, {st_mode=S_IFREG|0644, st_size=1121, ...}) = 0 fstat64(7, {st_mode=S_IFREG|0644, st_size=1121, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40022000 read(7, "00000000000000000000000000000000"..., 4096) = 1121 close(7) = 0 munmap(0x40022000, 4096) = 0 --- SIGSEGV (Segmentation fault) @ 0 (0) --- rt_sigaction(SIGSEGV, {SIG_IGN}, {0x8084330, [SEGV], SA_RESTORER|SA_RESTART, 0x4009caa8}, 8) = 0 ... Any more information I can send to help track down the problem (full strace, XF8Config etc.)? cu, Frank -- Dipl.-Inform. Frank Steiner mailto:fst_at_bio.informatik.uni-muenchen.de Lehrstuhl f. Bioinformatik LMU, Amalienstr. 17 Phone: +49 89 2180-4049, Fax: -4054 80333 Muenchen, Germany http://www.informatik.uni-kiel.de/~fst/ * Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *
On Tue, 24 Feb 2004, Frank Steiner wrote:
Hi,
Hi.
Thomas Biege wrote:
Hm, did you restart the X server?
Yes, even rebooted the PC to avoid any caching effect.
Does this even happen as non-root user?
yes, same effect.
Fatal server error: Caught signal 4. Server aborting
The original bug triggered a SIGSEGV (11) this one is a SIGILL (4). Maybe it triggered just another bug. I'll verify the sources...
Actually, rebooting the PC changed the signal to 11 again... It also happens on our SuSE 9.0 PCs with the updated XFree86 (as root and as any other user). And the signal is indeed caused by the font files:
The patches were in, but the wrong packages are put to the FTP servers.
The new packages (XFree86-server and xloader for older SL versions)
were released yesterday.
Bye,
Thomas
--
Thomas Biege
participants (3)
-
Frank Steiner
-
Thomas Biege
-
thomas@suse.de