CVE-2013-6462
published 2014-01-09CVE-2013-6462: Stack-based buffer overflow in the bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont 1.1 through 1.4.6 allows remote attackers to cause a denial…
PriorityP343critical9.3CVSS 2.0
AVNACMAuNCCICAC
EPSS
10.25%
95.1th percentile
Stack-based buffer overflow in the bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont 1.1 through 1.4.6 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string in a character name in a BDF font file.
Affected
28 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libxfont | < libxfont 1:1.4.7-1 (bookworm) | libxfont 1:1.4.7-1 (bookworm) |
| x.org | libxfont | >= 0 < 1:1.4.7-1 | 1:1.4.7-1 |
| x.org | libxfont | >= 0 < 1:1.4.7-1 | 1:1.4.7-1 |
| x.org | libxfont | >= 0 < 1:1.4.7-1 | 1:1.4.7-1 |
| x.org | libxfont | >= 0 < 1:1.4.7-1 | 1:1.4.7-1 |
| x | libxfont | — | — |
| x | libxfont | — | — |
| x | libxfont | — | — |
| x | libxfont | — | — |
| x | libxfont | — | — |
| x | libxfont | — | — |
| x | libxfont | — | — |
| x | libxfont | — | — |
| x | libxfont | — | — |
| x | libxfont | — | — |
| x | libxfont | — | — |
| x | libxfont | — | — |
| x | libxfont | — | — |
| x | libxfont | — | — |
| x | libxfont | — | — |
| x | libxfont | — | — |
| x | libxfont | — | — |
| x | libxfont | — | — |
| x | libxfont | — | — |
| x | libxfont | — | — |
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3CRITICAL
vendor_redhat9.3CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
libXfont vulnerability
vendor_ubuntu·2014-01-07
CVE-2013-6462 libXfont vulnerability
Title: libXfont vulnerability
Summary: libXfont could be made to crash or run programs as an administrator if it
opened a specially crafted font file.
It was discovered that libXfont incorrectly handled certain malformed BDF
fonts. An attacker could use a specially crafted font file to cause
libXfont to crash, or possibly execute arbitrary code in order to gain
privileges. The default compiler options for affected releases should
reduce the vulnerability to a denial of service.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Red Hat
libXfont: stack-based buffer overflow flaw when parsing Glyph Bitmap Distribution Format (BDF) fonts
vendor_redhat·2014-01-07·CVSS 9.3
CVE-2013-6462 [CRITICAL] CWE-121 libXfont: stack-based buffer overflow flaw when parsing Glyph Bitmap Distribution Format (BDF) fonts
libXfont: stack-based buffer overflow flaw when parsing Glyph Bitmap Distribution Format (BDF) fonts
Stack-based buffer overflow in the bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont 1.1 through 1.4.6 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string in a character name in a BDF font file.
Package: libXfont (Red Hat Enterprise Linux 7) - Not affected
Debian
CVE-2013-6462: libxfont - Stack-based buffer overflow in the bdfReadCharacters function in bitmap/bdfread....
vendor_debian·2013·CVSS 9.3
CVE-2013-6462 [CRITICAL] CVE-2013-6462: libxfont - Stack-based buffer overflow in the bdfReadCharacters function in bitmap/bdfread....
Stack-based buffer overflow in the bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont 1.1 through 1.4.6 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string in a character name in a BDF font file.
Scope: local
bookworm: resolved (fixed in 1:1.4.7-1)
bullseye: resolved (fixed in 1:1.4.7-1)
forky: resolved (fixed in 1:1.4.7-1)
sid: resolved (fixed in 1:1.4.7-1)
trixie: resolved (fixed in 1:1.4.7-1)
GHSA
GHSA-7vj8-7ww8-h9v6: Stack-based buffer overflow in the bdfReadCharacters function in bitmap/bdfread
ghsa_unreviewed·2022-05-17
CVE-2013-6462 [HIGH] CWE-119 GHSA-7vj8-7ww8-h9v6: Stack-based buffer overflow in the bdfReadCharacters function in bitmap/bdfread
Stack-based buffer overflow in the bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont 1.1 through 1.4.6 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string in a character name in a BDF font file.
OSV
CVE-2013-6462: Stack-based buffer overflow in the bdfReadCharacters function in bitmap/bdfread
osv·2014-01-09·CVSS 9.3
CVE-2013-6462 [CRITICAL] CVE-2013-6462: Stack-based buffer overflow in the bdfReadCharacters function in bitmap/bdfread
Stack-based buffer overflow in the bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont 1.1 through 1.4.6 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string in a character name in a BDF font file.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2013-6462 libXfont: stack-based buffer overflow flaw when parsing Glyph Bitmap Distribution Format (BDF) fonts [fedora-all]
bugzilla·2014-01-07·CVSS 9.3
CVE-2013-6462 [CRITICAL] CVE-2013-6462 libXfont: stack-based buffer overflow flaw when parsing Glyph Bitmap Distribution Format (BDF) fonts [fedora-all]
CVE-2013-6462 libXfont: stack-based buffer overflow flaw when parsing Glyph Bitmap Distribution Format (BDF) fonts [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes
Bugzilla
CVE-2013-6462 libXfont: stack-based buffer overflow flaw when parsing Glyph Bitmap Distribution Format (BDF) fonts
bugzilla·2014-01-03·CVSS 9.3
CVE-2013-6462 [CRITICAL] CVE-2013-6462 libXfont: stack-based buffer overflow flaw when parsing Glyph Bitmap Distribution Format (BDF) fonts
CVE-2013-6462 libXfont: stack-based buffer overflow flaw when parsing Glyph Bitmap Distribution Format (BDF) fonts
A stack-based buffer overflow flaw was found in the way the libXfont library, used by the X.Org server, parsed Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could exploit this issue to potentially execute arbitrary code with the privileges of the X.Org server.
Acknowledgements:
Red Hat would like to thank the X.Org security team for reporting this issue.
Discussion:
This issue is now public, and is noted as being fixed in libXfont 1.4.7 via the following commit:
http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=4d024ac10f964f6bd372ae0dd14f02772a6e5f63
It is also noted as affecting every version of X from X11R5 to libXfont 1.4.6.
External
http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=4d024ac10f964f6bd372ae0dd14f02772a6e5f63http://lists.opensuse.org/opensuse-updates/2014-01/msg00050.htmlhttp://lists.opensuse.org/opensuse-updates/2014-01/msg00052.htmlhttp://lists.x.org/archives/xorg-announce/2014-January/002389.htmlhttp://osvdb.org/101842http://rhn.redhat.com/errata/RHSA-2014-0018.htmlhttp://seclists.org/oss-sec/2014/q1/33http://secunia.com/advisories/56240http://secunia.com/advisories/56336http://secunia.com/advisories/56357http://secunia.com/advisories/56371http://www.debian.org/security/2014/dsa-2838http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.htmlhttp://www.securityfocus.com/bid/64694http://www.ubuntu.com/usn/USN-2078-1https://exchange.xforce.ibmcloud.com/vulnerabilities/90123http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=4d024ac10f964f6bd372ae0dd14f02772a6e5f63http://lists.opensuse.org/opensuse-updates/2014-01/msg00050.htmlhttp://lists.opensuse.org/opensuse-updates/2014-01/msg00052.htmlhttp://lists.x.org/archives/xorg-announce/2014-January/002389.htmlhttp://osvdb.org/101842http://rhn.redhat.com/errata/RHSA-2014-0018.htmlhttp://seclists.org/oss-sec/2014/q1/33http://secunia.com/advisories/56240http://secunia.com/advisories/56336http://secunia.com/advisories/56357http://secunia.com/advisories/56371http://www.debian.org/security/2014/dsa-2838http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.htmlhttp://www.securityfocus.com/bid/64694http://www.ubuntu.com/usn/USN-2078-1https://exchange.xforce.ibmcloud.com/vulnerabilities/90123
2014-01-09
Published