Vigil@nce - libXfont: memory corruption via LZW
August 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can create a malicious character font compressed with
LZW, in order to execute code in applications linked to libXfont
which open this compressed file.
Severity: 2/4
Creation date: 11/08/2011
IMPACTED PRODUCTS
– Debian Linux
– Red Hat Enterprise Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The libXfont library processes character fonts. They can be stored
in a file compressed with the LZW (Lempel-Ziv-Welch) algorithm.
The LZW algorithm uses an array containing string fragments. This
array is progressively filled with the newly compressed fragments.
Indexes of this array are stored in the compressed file. In order
to uncompresss the file, the algorithm reads the index (from the
compressed file) and stores the fragment associated in the
uncompressed file. When data follow the "KwKwK" pattern, where K
is a character and "w" is a fragment (word), the array index is
the first free (fill is in progress) position of the array. It is
a known special case, for which it is allowed to use this empty
position.
However, libXfont incorrectly process the "KwKwK" special case,
and allows indexes which are greater than this first empty
position. This leads to a memory corruption.
An attacker can therefore create a malicious character font
compressed with LZW, in order to execute code in applications
linked to libXfont which open this compressed file.
A local attacker can for example add a font directory (containing
the malicious file) in his X11 configuration, in order to execute
code in the X server, with root privileges.
This vulnerability has the same origin as VIGILANCE-VUL-10919
(https://vigilance.fr/tree/1/10919).
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/libXfont-memory-corruption-via-LZW-10918