ID CVE-2015-1804
Summary The bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont before 1.4.9 and 1.5.x before 1.5.1 does not properly perform type conversion for metrics values, which allows remote authenticated users to cause a denial of service (out-of-bounds memory access) and possibly execute arbitrary code via a crafted BDF font file.
References
Vulnerable Configurations
  • cpe:2.3:a:x:libxfont:1.4.8
    cpe:2.3:a:x:libxfont:1.4.8
  • cpe:2.3:a:x:libxfont:1.5.0
    cpe:2.3:a:x:libxfont:1.5.0
  • Canonical Ubuntu Linux 14.10
    cpe:2.3:o:canonical:ubuntu_linux:14.10
  • Canonical Ubuntu Linux 10.04 LTS
    cpe:2.3:o:canonical:ubuntu_linux:10.04:-:-:-:lts
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 12.04 LTS
    cpe:2.3:o:canonical:ubuntu_linux:12.04:-:-:-:lts
  • Debian Linux 7.0
    cpe:2.3:o:debian:debian_linux:7.0
CVSS
Base: 8.5 (as of 23-03-2015 - 12:22)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-145.NASL
    description Updated libxfont packages fix security vulnerabilities : Ilja van Sprundel discovered that libXfont incorrectly handled font metadata file parsing. A local attacker could use this issue to cause libXfont to crash, or possibly execute arbitrary code in order to gain privileges (CVE-2014-0209). Ilja van Sprundel discovered that libXfont incorrectly handled X Font Server replies. A malicious font server could return specially crafted data that could cause libXfont to crash, or possibly execute arbitrary code (CVE-2014-0210, CVE-2014-0211). The bdf parser reads a count for the number of properties defined in a font from the font file, and allocates arrays with entries for each property based on that count. It never checked to see if that count was negative, or large enough to overflow when multiplied by the size of the structures being allocated, and could thus allocate the wrong buffer size, leading to out of bounds writes (CVE-2015-1802). If the bdf parser failed to parse the data for the bitmap for any character, it would proceed with an invalid pointer to the bitmap data and later crash when trying to read the bitmap from that pointer (CVE-2015-1803). The bdf parser read metrics values as 32-bit integers, but stored them into 16-bit integers. Overflows could occur in various operations leading to out-of-bounds memory access (CVE-2015-1804).
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 82398
    published 2015-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82398
    title Mandriva Linux Security Advisory : libxfont (MDVSA-2015:145-1)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2015-0120.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - CVE-2015-1802: missing range check in bdfReadProperties (bug 1258892) - CVE-2015-1803: crash on invalid read in bdfReadCharacters (bug 1258892) - CVE-2015-1804: out-of-bounds memory access in bdfReadCharacters (bug 1258892)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 85784
    published 2015-09-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85784
    title OracleVM 3.3 : libXfont (OVMSA-2015-0120)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2015-597.NASL
    description An integer overflow flaw was found in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with the privileges of the X.Org server. (CVE-2015-1802) An integer truncation flaw was discovered in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with the privileges of the X.Org server. (CVE-2015-1804) A NULL pointer dereference flaw was discovered in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server. (CVE-2015-1803)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 86075
    published 2015-09-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86075
    title Amazon Linux AMI : libXfont (ALAS-2015-597)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_XORG-X11-DEVEL-150317.NASL
    description LibXFont was updated to fix security problems that could be used by local attackers to gain X server privileges (root). The following security issues have been fixed : - The bdf parser reads a count for the number of properties defined in a font from the font file, and allocates arrays with entries for each property based on that count. It never checked to see if that count was negative, or large enough to overflow when multiplied by the size of the structures being allocated, and could thus allocate the wrong buffer size, leading to out of bounds writes. (CVE-2015-1802) - If the bdf parser failed to parse the data for the bitmap for any character, it would proceed with an invalid pointer to the bitmap data and later crash when trying to read the bitmap from that pointer. (CVE-2015-1803) - The bdf parser read metrics values as 32-bit integers, but stored them into 16-bit integers. Overflows could occur in various operations leading to out-of-bounds memory access. (CVE-2015-1804)
    last seen 2019-02-21
    modified 2015-04-08
    plugin id 82641
    published 2015-04-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82641
    title SuSE 11.3 Security Update : xorg-x11-libs (SAT Patch Number 10487)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_F7D79FACCD4911E4898FBCAEC565249C.NASL
    description Alan Coopersmith reports : Ilja van Sprundel, a security researcher with IOActive, has discovered an issue in the parsing of BDF font files by libXfont. Additional testing by Alan Coopersmith and William Robinet with the American Fuzzy Lop (afl) tool uncovered two more issues in the parsing of BDF font files. As libXfont is used by the X server to read font files, and an unprivileged user with access to the X server can tell the X server to read a given font file from a path of their choosing, these vulnerabilities have the potential to allow unprivileged users to run code with the privileges of the X server (often root access).
    last seen 2019-02-21
    modified 2018-11-23
    plugin id 81901
    published 2015-03-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81901
    title FreeBSD : libXfont -- BDF parsing issues (f7d79fac-cd49-11e4-898f-bcaec565249c)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20150903_LIBXFONT_ON_SL6_X.NASL
    description An integer overflow flaw was found in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with the privileges of the X.Org server. (CVE-2015-1802) An integer truncation flaw was discovered in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with the privileges of the X.Org server. (CVE-2015-1804) A NULL pointer dereference flaw was discovered in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server. (CVE-2015-1803)
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 85788
    published 2015-09-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85788
    title Scientific Linux Security Update : libXfont on SL6.x, SL7.x i386/x86_64
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-4199.NASL
    description libXfont 1.5.1 (CVE-2015-1802, CVE-2015-1803, CVE-2015-1804) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 81994
    published 2015-03-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81994
    title Fedora 22 : libXfont-1.5.1-1.fc22 (2015-4199)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-913.NASL
    description This update for libXfont fixes the following issue : - A negative DWIDTH is legal. This was broken by the security fix for CVE-2015-1804. (boo#958383).
    last seen 2019-02-21
    modified 2015-12-21
    plugin id 87517
    published 2015-12-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87517
    title openSUSE Security Update : libXfont (openSUSE-2015-913)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201507-21.NASL
    description The remote host is affected by the vulnerability described in GLSA-201507-21 (libXfont: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in libXfont. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 84935
    published 2015-07-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84935
    title GLSA-201507-21 : libXfont: Multiple vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-4230.NASL
    description Security fix for CVE-2015-1802, CVE-2015-1803, CVE-2015-1804 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 82057
    published 2015-03-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82057
    title Fedora 21 : libXfont-1.5.1-1.fc21 (2015-4230)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2015-1708.NASL
    description From Red Hat Security Advisory 2015:1708 : An updated libXfont package that fixes three security issues is now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The libXfont package provides the X.Org libXfont runtime library. X.Org is an open source implementation of the X Window System. An integer overflow flaw was found in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with the privileges of the X.Org server. (CVE-2015-1802) An integer truncation flaw was discovered in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with the privileges of the X.Org server. (CVE-2015-1804) A NULL pointer dereference flaw was discovered in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server. (CVE-2015-1803) All libXfont users are advised to upgrade to this updated package, which contains backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 85780
    published 2015-09-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85780
    title Oracle Linux 6 / 7 : libXfont (ELSA-2015-1708)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2015-1708.NASL
    description An updated libXfont package that fixes three security issues is now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The libXfont package provides the X.Org libXfont runtime library. X.Org is an open source implementation of the X Window System. An integer overflow flaw was found in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with the privileges of the X.Org server. (CVE-2015-1802) An integer truncation flaw was discovered in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with the privileges of the X.Org server. (CVE-2015-1804) A NULL pointer dereference flaw was discovered in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server. (CVE-2015-1803) All libXfont users are advised to upgrade to this updated package, which contains backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 86506
    published 2015-10-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86506
    title CentOS 6 / 7 : libXfont (CESA-2015:1708)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-183.NASL
    description Ilja van Sprundel, Alan Coopersmith and William Robinet discovered multiple issues in libxfont's code to process BDF fonts, which might result in privilege escalation. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 82300
    published 2015-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82300
    title Debian DLA-183-1 : libxfont security update
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3194.NASL
    description Ilja van Sprundel, Alan Coopersmith and William Robinet discovered multiple issues in libxfont's code to process BDF fonts, which might result in privilege escalation.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 81900
    published 2015-03-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81900
    title Debian DSA-3194-1 : libxfont - security update
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-266.NASL
    description libXFont was updated to fix three vulnerabilities when parsing BDF files (bnc#921978) As libXfont is used by the X server to read font files, and an unprivileged user with access to the X server can tell the X server to read a given font file from a path of their choosing, these vulnerabilities have the potential to allow unprivileged users to run code with the privileges of the X server. The following vulnerabilities were fixed : - The BDF parser could allocate the a wrong buffer size, leading to out of bound writes (CVE-2015-1802) - The BDF parser could crash when trying to read an invalid pointer (CVE-2015-1803) - The BDF parser could read 32 bit metrics values into 16 bit integers, causing an out-of-bound memory access though integer overflow (CVE-2015-1804)
    last seen 2019-02-21
    modified 2015-03-30
    plugin id 82424
    published 2015-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82424
    title openSUSE Security Update : libXfont (openSUSE-2015-266)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2536-1.NASL
    description Ilja van Sprundel, Alan Coopersmith, and William Robinet discovered that libXfont incorrectly handled malformed bdf fonts. A local attacker could use this issue to cause libXfont to crash, or possibly execute arbitrary code in order to gain privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 81951
    published 2015-03-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81951
    title Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS / 14.10 : libxfont vulnerabilities (USN-2536-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-1708.NASL
    description An updated libXfont package that fixes three security issues is now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The libXfont package provides the X.Org libXfont runtime library. X.Org is an open source implementation of the X Window System. An integer overflow flaw was found in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with the privileges of the X.Org server. (CVE-2015-1802) An integer truncation flaw was discovered in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with the privileges of the X.Org server. (CVE-2015-1804) A NULL pointer dereference flaw was discovered in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server. (CVE-2015-1803) All libXfont users are advised to upgrade to this updated package, which contains backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 85973
    published 2015-09-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85973
    title RHEL 6 / 7 : libXfont (RHSA-2015:1708)
redhat via4
advisories
bugzilla
id 1203719
title CVE-2015-1804 libXfont: out-of-bounds memory access in bdfReadCharacters
oval
OR
  • AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment libXfont is earlier than 0:1.4.5-5.el6_7
          oval oval:com.redhat.rhsa:tst:20151708005
        • comment libXfont is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111154006
      • AND
        • comment libXfont-devel is earlier than 0:1.4.5-5.el6_7
          oval oval:com.redhat.rhsa:tst:20151708007
        • comment libXfont-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111154008
  • AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment libXfont is earlier than 0:1.4.7-3.el7_1
          oval oval:com.redhat.rhsa:tst:20151708013
        • comment libXfont is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111154006
      • AND
        • comment libXfont-devel is earlier than 0:1.4.7-3.el7_1
          oval oval:com.redhat.rhsa:tst:20151708014
        • comment libXfont-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111154008
rhsa
id RHSA-2015:1708
released 2015-09-03
severity Important
title RHSA-2015:1708: libXfont security update (Important)
rpms
  • libXfont-0:1.4.5-5.el6_7
  • libXfont-devel-0:1.4.5-5.el6_7
  • libXfont-0:1.4.7-3.el7_1
  • libXfont-devel-0:1.4.7-3.el7_1
refmap via4
bid 73279
confirm
debian DSA-3194
fedora
  • FEDORA-2015-4199
  • FEDORA-2015-4230
gentoo GLSA-201507-21
mandriva MDVSA-2015:145
misc http://www.x.org/wiki/Development/Security/Advisory-2015-03-17/
sectrack 1031935
suse
  • SUSE-SU-2015:0674
  • SUSE-SU-2015:0702
  • openSUSE-SU-2015:0614
  • openSUSE-SU-2015:2300
ubuntu USN-2536-1
Last major update 30-12-2016 - 21:59
Published 20-03-2015 - 10:59
Back to Top