Debian DSA-443-1 : xfree86 - several vulnerabilities

critical Nessus Plugin ID 15280

Synopsis

The remote Debian host is missing a security-related update.

Description

A number of vulnerabilities have been discovered in XFree86. The corrections are listed below with the identification from the Common Vulnerabilities and Exposures (CVE) project :

- CAN-2004-0083 :
Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CAN-2004-0084.

- CAN-2004-0084 :

Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CAN-2004-0083.

- CAN-2004-0106 :

Miscellaneous additional flaws in XFree86's handling of font files.

- CAN-2003-0690 :

xdm does not verify whether the pam_setcred function call succeeds, which may allow attackers to gain root privileges by triggering error conditions within PAM modules, as demonstrated in certain configurations of the MIT pam_krb5 module.

- CAN-2004-0093, CAN-2004-0094 :

Denial-of-service attacks against the X server by clients using the GLX extension and Direct Rendering Infrastructure are possible due to unchecked client data (out-of-bounds array indexes [CAN-2004-0093] and integer signedness errors [CAN-2004-0094]).

Exploitation of CAN-2004-0083, CAN-2004-0084, CAN-2004-0106, CAN-2004-0093 and CAN-2004-0094 would require a connection to the X server. By default, display managers in Debian start the X server with a configuration which only accepts local connections, but if the configuration is changed to allow remote connections, or X servers are started by other means, then these bugs could be exploited remotely.
Since the X server usually runs with root privileges, these bugs could potentially be exploited to gain root privileges.

No attack vector for CAN-2003-0690 is known at this time.

Solution

For the stable distribution (woody) these problems have been fixed in version 4.1.0-16woody3.

We recommend that you update your xfree86 package.

See Also

http://www.debian.org/security/2004/dsa-443

Plugin Details

Severity: Critical

ID: 15280

File Name: debian_DSA-443.nasl

Version: 1.24

Type: local

Agent: unix

Published: 9/29/2004

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:3.0, p-cpe:/a:debian:debian_linux:xfree86

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/19/2004

Vulnerability Publication Date: 2/19/2004

Reference Information

CVE: CVE-2003-0690, CVE-2004-0083, CVE-2004-0084, CVE-2004-0093, CVE-2004-0094, CVE-2004-0106

BID: 9636, 9652, 9655, 9701

DSA: 443