Bug 1054285 – VUL-1: CVE-2017-13720: libXfont: string overread / Check for end of string in PatterMatch.

Bug 1054285 - (CVE-2017-13720) VUL-1: CVE-2017-13720: libXfont: string overread / Check for end of string in PatterMatch.

(CVE-2017-13720)
Summary:	VUL-1: CVE-2017-13720: libXfont: string overread / Check for end of string in...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/190623/
Whiteboard:	CVSSv2:SUSE:CVE-2017-13720:1.7:(AV:L...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-08-17 15:49 UTC by Marcus Meissner
Modified:	2020-07-26 22:03 UTC (History)
CC List:	0 users

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
main.c (1.42 KB, text/plain) 2017-08-17 15:51 UTC, Marcus Meissner	Details
xfont.patch (981 bytes, patch) 2017-08-17 15:53 UTC, Marcus Meissner	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2017-08-17 15:49:23 UTC

via xorg_security, spotted by msrb

From: Michal Srb <msrb@suse.com>

If a pattern contains '?' character, any character in the string is skipped,
even if it is '\0'. The rest of the matching then reads invalid memory.
---
This may not even be considered security issue, but I am sending here first to
make sure.

It can be triggered with ProcOpenFont with long pattern consisting only of
question marks up to 255 characters long: "?????????????...??"

The invalid read is visible in valgrind:

==31824== Invalid read of size 1
==31824==    at 0x5A847BE: PatternMatch.part.0 (fontdir.c:406)
==31824==    by 0x5A84DFA: PatternMatch (fontdir.c:453)
==31824==    by 0x5A84DFA: FontFileFindNameInScalableDir (fontdir.c:458)
==31824==    by 0x5A86845: FontFileOpenFont.part.1 (fontfile.c:289)
==31824==    by 0x5024ED: doOpenFont (dixfonts.c:276)
==31824==    by 0x5029F1: OpenFont (dixfonts.c:442)
==31824==    by 0x5007BD: Dispatch (dispatch.c:430)
==31824==    by 0x5044FA: dix_main (main.c:300)
==31824==    by 0x66646E4: (below main) (libc-start.c:289)
==31824==  Address 0xbe97f5f is 17 bytes before a block of size 59 alloc'd
==31824==    at 0x4C29160: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31824==    by 0x5A84BFB: FontFileAddEntry (fontdir.c:194)
==31824==    by 0x5A852E9: FontFileAddFontFile (fontdir.c:688)
==31824==    by 0x5A83D52: FontFileReadDirectory (dirfile.c:138)
==31824==    by 0x5A859D5: FontFileInitFPE (fontfile.c:94)
==31824==    by 0x5021B1: SetFontPathElements (dixfonts.c:1636)
==31824==    by 0x503ADC: SetDefaultFontPath (dixfonts.c:1748)
==31824==    by 0x50440B: dix_main (main.c:236)
==31824==    by 0x66646E4: (below main) (libc-start.c:289)


It could in theory crash X Server, but in my case it never did.


 src/fontfile/fontdir.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/fontfile/fontdir.c b/src/fontfile/fontdir.c
index 4ce2473..cc3e2a6 100644
--- a/src/fontfile/fontdir.c
+++ b/src/fontfile/fontdir.c
@@ -400,8 +400,12 @@ PatternMatch(char *pat, int patdashes, char *string, int stringdashes)
                }
            }
        case '?':
-           if (*string++ == XK_minus)
+           if ((t = *string++) == XK_minus) {
                stringdashes--;
+            } else {
+              if (!t)
+                  return 0;
+            }
            break;
        case '\0':
            return (*string == '\0');
-- 
2.12.3

Comment 1 Marcus Meissner 2017-08-17 15:51:53 UTC

Created attachment 737087 [details]
main.c

QA REPRODUCER:

gcc -o main main.c -lxcb -O2 -Wall

valgrind Xvfb :1 & 
./main

should not result in a valgrind Invalid read of size 1 warning.

Comment 2 Marcus Meissner 2017-08-17 15:53:05 UTC

Created attachment 737088 [details]
xfont.patch

xfont.patch version 2 from Michal.

Comment 4 Marcus Meissner 2017-08-29 09:16:30 UTC

Mitre assigned CVE-2017-13720.

Comment 6 Michal Srb 2017-09-04 15:10:46 UTC

Submitted, reassigning to security team.

Comment 7 Marcus Meissner 2017-10-11 14:24:25 UTC

public via git commit

https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d1e670a4a8704b8708e493ab6155589bcd570608

Comment 9 Bernhard Wiedemann 2017-11-28 15:30:10 UTC

This is an autogenerated message for OBS integration:
This bug (1054285) was mentioned in
https://build.opensuse.org/request/show/546248 42.2+42.3 / libXfont

Comment 10 Swamp Workflow Management 2017-12-08 23:10:46 UTC

openSUSE-SU-2017:3256-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1049692,1050459,1054285
CVE References: CVE-2017-13720,CVE-2017-13722
Sources used:
openSUSE Leap 42.2 (src):    libXfont-1.5.1-9.3.1

Comment 11 Swamp Workflow Management 2018-01-26 20:14:31 UTC

SUSE-SU-2018:0246-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1049692,1050459,1054285,1065386
CVE References: CVE-2017-13720,CVE-2017-13722,CVE-2017-16612
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xorg-x11-libs-7.4-8.26.50.5.3
SUSE Linux Enterprise Server 11-SP4 (src):    xorg-x11-libs-7.4-8.26.50.5.3
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xorg-x11-libs-7.4-8.26.50.5.3

Comment 12 Swamp Workflow Management 2018-02-01 14:10:37 UTC

SUSE-SU-2018:0334-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1049692,1050459,1054285
CVE References: CVE-2017-13720,CVE-2017-13722
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    libXfont-1.5.1-11.3.12
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    libXfont-1.5.1-11.3.12
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    libXfont-1.5.1-11.3.12
SUSE Linux Enterprise Server 12-SP3 (src):    libXfont-1.5.1-11.3.12
SUSE Linux Enterprise Server 12-SP2 (src):    libXfont-1.5.1-11.3.12
SUSE Linux Enterprise Desktop 12-SP3 (src):    libXfont-1.5.1-11.3.12
SUSE Linux Enterprise Desktop 12-SP2 (src):    libXfont-1.5.1-11.3.12

Comment 13 Marcus Meissner 2018-02-01 14:16:20 UTC

released

Comment 14 Swamp Workflow Management 2018-02-01 23:11:02 UTC

openSUSE-SU-2018:0343-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1049692,1050459,1054285
CVE References: CVE-2017-13720,CVE-2017-13722
Sources used:
openSUSE Leap 42.3 (src):    libXfont-1.5.1-13.1