Debian Security Advisory

DSA-443-1 xfree86 -- several vulnerabilities

Date Reported:
19 Feb 2004
Affected Packages:
Security database references:
In the Bugtraq database (at SecurityFocus): BugTraq ID 9636, BugTraq ID 9652, BugTraq ID 9655, BugTraq ID 9701.
In Mitre's CVE dictionary: CVE-2003-0690, CVE-2004-0083, CVE-2004-0084, CVE-2004-0106, CVE-2004-0093, CVE-2004-0094.
More information:

A number of vulnerabilities have been discovered in XFree86. The corrections are listed below with the identification from the Common Vulnerabilities and Exposures (CVE) project:

  • CAN-2004-0083:

    Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CAN-2004-0084.

  • CAN-2004-0084:

    Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CAN-2004-0083.

  • CAN-2004-0106:

    Miscellaneous additional flaws in XFree86's handling of font files.

  • CAN-2003-0690:

    xdm does not verify whether the pam_setcred function call succeeds, which may allow attackers to gain root privileges by triggering error conditions within PAM modules, as demonstrated in certain configurations of the MIT pam_krb5 module.

  • CAN-2004-0093, CAN-2004-0094:

    Denial-of-service attacks against the X server by clients using the GLX extension and Direct Rendering Infrastructure are possible due to unchecked client data (out-of-bounds array indexes [CAN-2004-0093] and integer signedness errors [CAN-2004-0094]).

Exploitation of CAN-2004-0083, CAN-2004-0084, CAN-2004-0106, CAN-2004-0093 and CAN-2004-0094 would require a connection to the X server. By default, display managers in Debian start the X server with a configuration which only accepts local connections, but if the configuration is changed to allow remote connections, or X servers are started by other means, then these bugs could be exploited remotely. Since the X server usually runs with root privileges, these bugs could potentially be exploited to gain root privileges.

No attack vector for CAN-2003-0690 is known at this time.

For the stable distribution (woody) these problems have been fixed in version 4.1.0-16woody3.

For the unstable distribution (sid) these problems have been fixed in version 4.3.0-2.

We recommend that you update your xfree86 package.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Architecture-independent component:
Intel IA-32:
Intel IA-64:
Motorola 680x0:
Big endian MIPS:
Little endian MIPS:
IBM S/390:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.