X.Org Security Advisory, September 12, 2006
Integer overflows in handling CID encoded Type1 fonts
CVE-ID: 2006-3739, 2006-3740

Overview

It may be possible for a user with the ability to set the X server
font path, by making it point to a malicious font, to cause
arbitrary code execution or denial of service on the X server.

Vulnerability details

The lack of validation of input data while parsing CID encoded Type1
fonts in the "type1" module may cause some integer overflows while
computing the size of allocated data buffers when parsing a
font. Arbitrary code embedded in the malicious font can then be
executed by the X server.

To exploit these vulnerabilities, the ability to connect to the X server
in order to execute 'xset fp+' or the equivalent is required.

CVE-ID 2006-3740 describes a vulnerability in the scan_cidfont()
function in Type1/scanfont.c, while CVE ID 2006-3739 describes similar
problems in the CIDADM() function in Type1/afm.c.

Affected versions

All X servers using the "type1" font module with CID font support are
vulnerable to this issue. This includes all X.Org versions from 6.7.0
to 7.1 inclusive. Older versions are not supported by X.Org.

Workaround

If no CID-encoded Type 1 fonts are used, the "type1" module can be
disabled and replaced by the "freetype" module in /etc/X11/xorg.conf.
The freetype module is able to use Type1 fonts with standard (non CID)
encoding as well as True Type fonts.

Also, systems with memory address space randomization are less likely
to be successfully compromised, as the most effective way to exploit
these vulnerabilities rely on fixed address space.

Fix

These issues have been fixed in libXfont 1.2.1

For earlier versions, apply one of the following patches:

X.Org 6.8.2

<http://xorg.freedesktop.org/releases/X11R6.8.2/patches/>
3943de39723099857403a50bea2b4408  xorg-68x-cidfonts.patch
1ff2c998453e233f9278be76ccb8a827cabbb067  xorg-68x-cidfonts.patch

X.Org 6.9.0

<http://xorg.freedesktop.org/releases/X11R6.9.0/patches/>
MD5: 7c0c53f1c7ffd97b429eda1eefdff9cb  x11r6.9.0-cidfonts.diff
SHA1: bdb3b086e18fa1ee81020fa6a0657f097db7d037  x11r6.9.0-cidfonts.diff

X.Org 7.0 - libXfont 1.0.0 

<http://xorg.freedesktop.org/releases/X11R7.0/patches/>
MD5: 8bcbe12444326fab69f8a899c78519ea  libXfont-1.0.0-cidfonts.diff
SHA1: b0778179be6a52c5f10ddbb7cd349c06c3c8bd2d  libXfont-1.0.0-cidfonts.diff

X.Org 7.1 - libXfont 1.1.0

<http://xorg.freedesktop.org/releases/X11R7.1/patches/>
MD5: 8bcbe12444326fab69f8a899c78519ea  libXfont-1.1.0-cidfonts.diff
SHA1: b0778179be6a52c5f10ddbb7cd349c06c3c8bd2d  libXfont-1.1.0-cidfonts.diff

Thanks

These vulnerabilities were reported to the X.Org Foundation by
iDefense (IDEF1691 and IDEF1751).