Published:2008/06/10  Last Updated:2015/10/21

JVN#88935101
X.Org Foundation X server buffer overflow vulnerability

Overview

X server provided by the X.Org Foundation contains a buffer overflow vulnerability.

Products Affected

For more information, refer to each vendor's website.

Description

The X.Org Foundation provides an open source implementation of the X Window System. The X server of this implementation contains a vulnerability in the handling of Portable Compiled Font (PCF) format fonts that can be exploited to cause a buffer overflow.

Impact

An attacker with an established, authenticated connection to the X server could execute arbitrary code with the privilege of X server process or cause the server to crash.

Solution

Update the Software
Apply the latest updates provided by the vendors.

Vendor Status

Vendor Status Last Update Vendor Notes
Allied Telesis K.K. Not Vulnerable 2009/03/03
FUJITSU LIMITED Vulnerable 2015/10/13
Vendor Link
Fedora Project Array
libXfont security update
Gentoo Linux Array
Mandriva, Inc. Updated XFree86 packages fix multiple vulnerabilities
OpenBSD OpenBSD 4.1 errata
Red Hat, Inc. XFree86 security update
SUSE Linux Array
Ubuntu libxfont, xorg-server vulnerabilities
X.Org Foundation Array

References

  1. US-CERT
    X.Org PCF font parser buffer overflow
  2. IPA
    Security Alert for X.Org Foundation X Server Vulnerability

JPCERT/CC Addendum

X.Org Foundation released the X.Org security advisory on January 17, 2008, and CERT/CC released VU#203220 on March 19, 2008 regarding this vulnerability issue.

Vulnerability Analysis by JPCERT/CC

Credit

Takuya Shiozaki of CODE blog (codeblog.org) reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2008-0006
JVN iPedia JVNDB-2008-001043

Update History

2008/06/12
The first English advisory of this issue was published.
2008/07/17
Information under the section "References" was added.
2015/10/21
FUJITSU LIMITED update status