__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Red Hat Updated XFree86 Packages Fix Privilege Escalation Vulnerability [RHSA-2004:059-19] February 13, 2004 18:00 GMT Number O-081 [REVISED 17 FEB 2004] [REVISED 27 FEB 2004] [REVISED 02 MAR 2004] [REVISED 28 APR 2004] [REVISED 19 APR 2005] ______________________________________________________________________________ PROBLEM: There are several security vulnerabilities: 1) Two buffer overflows in the parsing of the 'font.alias' file. 2) Additional flaws in reading font files. PLATFORM: Red Hat Linux 9 Red Hat Enterprise Linux AS, ES, WS (v.3) Red Hat Enterprise Linux AS, ES, WS (v.2.1) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor SGI ProPack v2.4 and v2.3 for the Altix family of systems Debian GNU/Linux 3.0(woody) HP-UX B.11.00, B.11.04, B.11.11, B.11.22, B.11.23 Sun Solaris 7, 8, 9 DAMAGE: A local attacker could exploit this vulnerability by creating a carefully crafted file and gaining root privileges. SOLUTION: Install the security patch. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. A local attacker could gain root ASSESSMENT: privileges. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-081.shtml ORIGINAL BULLETIN: Red Hat RHSA-2004:059-19 https://rhn.redhat.com/errata/RHSA-2004-059.html ADDITIONAL LINKS: Red Hat RHSA-2004:061-29 https://rhn.redhat.com/errata/RHSA-2004-061.html Red Hat RHSA-2004:060-16 https://rhn.redhat.com/errata/RHSA-2004-060.html SGI Security Advisory Number 20040203-01-U ftp://patches.sgi.com/support/free/security/advisories/ 20040203-01-U.asc Debian Security Advisory DSA-443-1 http://www.debian.org/security/2004/dsa-443 Visit Hewlett Packard's Subscription Service for: HP Security Bulletin HPSBUX01018 (SSRT4692) Sun Alert ID: 57768 http://www.sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57768-1 CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-0083 CAN-2004-0084 CAN-2004-0106 ______________________________________________________________________________ REVISION HISTORY: 2/17/04 - added link to Red Hat Advisories RHSA-2004:061-29 and RHSA-2004:060-16. 2/27/04 - added link to SGI Advanced Linux Environment Security Update #12, Security Advisory Number 20040203-01-U 3/02/04 - added link to patches associated with Debian Security Advisory DSA-443-1. 4/28/04 - added link to patches associated with HP Security Bulletin HPSBUX01018 (SSRT4692). This pertains to the following HP versions: HP-UX B.11.00, B.11.04, B.11.11, B.11.22, B.11.23 4/19/04 - added link to patches for Solaris 7, 8, 9, available through Sun Alert ID: 57768. [***** Start RHSA-2004:059-19 *****] Updated XFree86 packages fix privilege escalation vulnerability Advisory: RHSA-2004:059-19 Last updated on: 2004-02-13 Affected Products: Red Hat Linux 9 CVEs (cve.mitre.org): CAN-2004-0083 CAN-2004-0084 CAN-2004-0106 Security Advisory Details: Updated XFree86 packages that fix a privilege escalation vulnerability are now available. XFree86 is an implementation of the X Window System, providing the core graphical user interface and video drivers. iDefense discovered two buffer overflows in the parsing of the 'font.alias' file. A local attacker could exploit this vulnerability by creating a carefully-crafted file and gaining root privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0083 and CAN-2004-0084 to these issues. Additionally David Dawes discovered additional flaws in reading font files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0106 to these issues. All users of XFree86 are advised to upgrade to these erratum packages, which contain a backported fix and are not vulnerable to these issues. Red Hat would like to thank David Dawes from XFree86 for the patches and notification of these issues. Updated packages: Red Hat Linux 9 -------------------------------------------------------------------------------- SRPMS: XFree86-4.3.0-2.90.55.src.rpm [ via FTP ] [ via HTTP ] d02a7a7d68a89eb6330824a46c944c81 i386: XFree86-100dpi-fonts-4.3.0-2.90.55.i386.rpm [ via FTP ] [ via HTTP ] d2229ab25ab6bcb7fa46b31b0494fb99 XFree86-4.3.0-2.90.55.i386.rpm [ via FTP ] [ via HTTP ] 481ce1f3cd1ed944c95c8bbf1b3e0905 XFree86-75dpi-fonts-4.3.0-2.90.55.i386.rpm [ via FTP ] [ via HTTP ] c8a788ef8c475112bdceeccfe6a3546e XFree86-base-fonts-4.3.0-2.90.55.i386.rpm [ via FTP ] [ via HTTP ] 7756f4250379e0df816326c727c57d22 XFree86-cyrillic-fonts-4.3.0-2.90.55.i386.rpm [ via FTP ] [ via HTTP ] b60a57b72a287222f7d43169976b23a0 XFree86-devel-4.3.0-2.90.55.i386.rpm [ via FTP ] [ via HTTP ] 677698b35ee92580f698920c45b12074 XFree86-doc-4.3.0-2.90.55.i386.rpm [ via FTP ] [ via HTTP ] 1a329b94a6e5af3fa6588781ec2e3d59 XFree86-font-utils-4.3.0-2.90.55.i386.rpm [ via FTP ] [ via HTTP ] 3b17669f2fb11622a86e7ff41c8899a4 XFree86-ISO8859-14-100dpi-fonts-4.3.0-2.90.55.i386.rpm [ via FTP ] [ via HTTP ] c932d2d854bd76a8d47b207ed885968b XFree86-ISO8859-14-75dpi-fonts-4.3.0-2.90.55.i386.rpm [ via FTP ] [ via HTTP ] 8f26fa23a902ff3aa87cc1b306d72b61 XFree86-ISO8859-15-100dpi-fonts-4.3.0-2.90.55.i386.rpm [ via FTP ] [ via HTTP ] 35500771e9509c22a91a24ecca7889cf XFree86-ISO8859-15-75dpi-fonts-4.3.0-2.90.55.i386.rpm [ via FTP ] [ via HTTP ] 4f2c4afe60b80795249b18b57f8e1311 XFree86-ISO8859-2-100dpi-fonts-4.3.0-2.90.55.i386.rpm [ via FTP ] [ via HTTP ] 6625628813a5172288c815fe98567c03 XFree86-ISO8859-2-75dpi-fonts-4.3.0-2.90.55.i386.rpm [ via FTP ] [ via HTTP ] b9bf0c66282490b6a4fdc1c18997fa6e XFree86-ISO8859-9-100dpi-fonts-4.3.0-2.90.55.i386.rpm [ via FTP ] [ via HTTP ] f24d08da67cc0edd282d260ecc9a37c4 XFree86-ISO8859-9-75dpi-fonts-4.3.0-2.90.55.i386.rpm [ via FTP ] [ via HTTP ] a54bcfa0c776f58524bd4848fe326869 XFree86-libs-4.3.0-2.90.55.i386.rpm [ via FTP ] [ via HTTP ] cbd3f064fa8432540bbf122253f45c96 XFree86-libs-data-4.3.0-2.90.55.i386.rpm [ via FTP ] [ via HTTP ] 8d85f153ac1ecc9e115ac21cb95e5a5b XFree86-Mesa-libGL-4.3.0-2.90.55.i386.rpm [ via FTP ] [ via HTTP ] e7fda0a3519b54141c93369bfa2c1b25 XFree86-Mesa-libGLU-4.3.0-2.90.55.i386.rpm [ via FTP ] [ via HTTP ] f0ae3a39808eb02a2dc16d0c42f584ec XFree86-sdk-4.3.0-2.90.55.i386.rpm [ via FTP ] [ via HTTP ] bc17f7fed32e35e4f835fcf978e36b17 XFree86-syriac-fonts-4.3.0-2.90.55.i386.rpm [ via FTP ] [ via HTTP ] 17c73f76b3b4056cf86a1a54e4c3e71d XFree86-tools-4.3.0-2.90.55.i386.rpm [ via FTP ] [ via HTTP ] 5d193e89fe78511c28645f012a14f75c XFree86-truetype-fonts-4.3.0-2.90.55.i386.rpm [ via FTP ] [ via HTTP ] 0ebb93ca3a20723bbaf034834fbd259d XFree86-twm-4.3.0-2.90.55.i386.rpm [ via FTP ] [ via HTTP ] 25fbea5c33f283050b86a96519484082 XFree86-xauth-4.3.0-2.90.55.i386.rpm [ via FTP ] [ via HTTP ] e6830e8b842ca4002cc48204363f6079 XFree86-xdm-4.3.0-2.90.55.i386.rpm [ via FTP ] [ via HTTP ] 32b135e82338a223e985eb2bf3b06ebe XFree86-xfs-4.3.0-2.90.55.i386.rpm [ via FTP ] [ via HTTP ] 439856bed9767f63bcd4b56306208251 XFree86-Xnest-4.3.0-2.90.55.i386.rpm [ via FTP ] [ via HTTP ] 8514ddc0d9fdb4c5bd027aed971ecb4c XFree86-Xvfb-4.3.0-2.90.55.i386.rpm [ via FTP ] [ via HTTP ] 4e68c610ed20ae0f0c03c9025574b968 Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. If up2date fails to connect to Red Hat Network due to SSL Certificate Errors, you need to install a version of the up2date client with an updated certificate. The latest version of up2date is available from the Red Hat FTP site and may also be downloaded directly from the RHN website: https://rhn.redhat.com/help/latest-up2date.pxt Bugs fixed: (see bugzilla for more information) 114901 - CAN-2004-0083 XFree86 font.alias overflow 76959 - applications recieve too many keyboard events from X References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0083 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0084 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0106 http://www.idefense.com/application/poi/display?id=72 http://www.idefense.com/application/poi/display?id=73 -------------------------------------------------------------------------------- The listed packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/solutions/security/news/publickey/#key You can verify each package and see who signed it with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum filename The Red Hat security contact is security@redhat.com. More contact details at http://www.redhat.com/solutions/security/news/contact.html [***** End RHSA-2004:059-19 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-071: Debian kernel-patch-2.4.17-mips Interger Overflow O-072: Check Point FireWall-1 HTTP Security Server Vulnerability O-073: Check Point VPN-1 Server and VPN Client Buffer Overflow Vulnerability O-074: Red Hat Cross-site Scripting Vulnerability in Mailman Package O-075: RealPlayer / RealOne Player Buffer Overrun Vulnerabilities O-076: MS Vulnerability in Virtual PC for Mac O-077: MS Vulnerability in the Windows Internet Naming Service (WINS) O-078: Samba - Unauthorized Access to SMB Accounts O-079: SGI - Userland Binary Vulnerabilities O-080: Novell iChain Telnet Service Vulnerability