Security fixes from X.Org Advisory:

X Font Service Protocol & Font metadata file handling issues in libXfont
May 13, 2014

- CVE-2014-0209: integer overflow of allocations in font metadata file parsing

    When a local user who is already authenticated to the X server adds
    a new directory to the font path, the X server calls libXfont to open
    the fonts.dir and fonts.alias files in that directory and add entries
    to the font tables for every line in it.  A large file (~2-4 gb) could
    cause the allocations to overflow, and allow the remaining data read
    from the file to overwrite other memory in the heap.

    Affected functions: FontFileAddEntry(), lexAlias()

- CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies

    When parsing replies received from the font server, these calls do not
    check that the lengths and/or indexes returned by the font server are
    within the size of the reply or the bounds of the memory allocated to
    store the data, so could write past the bounds of allocated memory when
    storing the returned data.

    Affected functions: _fs_recv_conn_setup(), fs_read_open_font(),
    fs_read_query_info(), fs_read_extent_info(), fs_read_glyphs(),
    fs_read_list(), fs_read_list_info()

- CVE-2014-0211: integer overflows calculating memory needs for xfs replies

    These calls do not check that their calculations for how much memory
    is needed to handle the returned data have not overflowed, so can
    result in allocating too little memory and then writing the returned
    data past the end of the allocated buffer.

    Affected functions: fs_get_reply(), fs_alloc_glyphs(),
    fs_read_extent_info()

Reported by Ilja van Sprundel of IOActive
Fixes by Alan Coopersmith of Oracle

0 files changed, 0 insertions, 0 deletions