2004-02-23: xfree86 security fixesxfree86 (4.1.0-16woody3) stable-security; urgency=high
* Security update release. Resolves the following issues:
+ CAN-2004-0083: Buffer overflow in ReadFontAlias from dirfile.c of
XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to
execute arbitrary code via a font alias file (font.alias) with a long
token, a different vulnerability than CAN-2004-0084.
+ CAN-2004-0084: Buffer overflow in the ReadFontAlias function in XFree86
4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows
local or remote authenticated users to execute arbitrary code via a
malformed entry in the font alias (font.alias) file, a different
vulnerability than CAN-2004-0083.
+ CAN-2004-0106: Miscellaneous additional flaws in XFree86's handling of
font files.
* Fix multiple buffer overflows and insufficiently rigorous input validation
in the X11R6 fontfile library. (Closes: #232378)
- debian/patches/075_SECURITY_libfontfile_vulnerabilities.diff
-- Branden Robinson Sat, 14 Feb 2004 13:44:41 -0500
xfree86 (4.1.0-16woody2) stable-security; urgency=high
* Security update release. Resolves the following issues:
+ CAN-2003-0690: xdm does not verify whether the pam_setcred function call
succeeds, which may allow attackers to gain root privileges by
triggering error conditions within PAM modules, as demonstrated in
certain configurations of the MIT pam_krb5 module.
+ CAN-2004-0093, CAN-2003-0094: Denial-of-service attacks against the X
server by clients using the GLX extension and Direct Rendering
Infrastructure are possible due to unchecked client data (out-of-bounds
array indexes [CAN-2004-0093] and integer signedness errors
[CAN-2004-0094]).
* Patch xdm to call pam_strerror(), log the returned error, and exit the
StartClient() function with a zero exit status (failure) if pam_setcred()
returns a value other than PAM_SUCCESS.
- debian/patches/073_SECURITY_xdm_pam_setcred_error_handling.diff
* Add validation for the screen number parameter received over the wire by
the X server's DRI extension code, and fix some similar checks in the GLX
code. This fixes X server segfaults when an invalid screen value is
provided (#A.1434, Felix Kühling).
- debian/patches/074_SECURITY_DRI_and_GLX_DoS_fix.diff
-- Branden Robinson Thu, 22 Jan 2004 20:07:06 -0500
|