CVE-2014-0210
published 2014-05-15CVE-2014-0210: Multiple buffer overflows in X.Org libXfont before 1.4.8 and 1.4.9x before 1.4.99.901 allow remote font servers to execute arbitrary code via a crafted xfs…
PriorityP345high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
4.36%
90.0th percentile
Multiple buffer overflows in X.Org libXfont before 1.4.8 and 1.4.9x before 1.4.99.901 allow remote font servers to execute arbitrary code via a crafted xfs protocol reply to the (1) _fs_recv_conn_setup, (2) fs_read_open_font, (3) fs_read_query_info, (4) fs_read_extent_info, (5) fs_read_glyphs, (6) fs_read_list, or (7) fs_read_list_info function.
Affected
32 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | libxfont | < libxfont 1:1.4.7-2 (bookworm) | libxfont 1:1.4.7-2 (bookworm) |
| x.org | libxfont | >= 0 < 1:1.4.7-2 | 1:1.4.7-2 |
| x.org | libxfont | >= 0 < 1:1.4.7-2 | 1:1.4.7-2 |
| x.org | libxfont | >= 0 < 1:1.4.7-2 | 1:1.4.7-2 |
| x.org | libxfont | >= 0 < 1:1.4.7-2 | 1:1.4.7-2 |
| x.org | libxfont | >= 0 < 1:1.4.7-1ubuntu0.1 | 1:1.4.7-1ubuntu0.1 |
| x | libxfont | <= 1.4.7 | — |
| x | libxfont | — | — |
| x | libxfont | — | — |
| x | libxfont | — | — |
| x | libxfont | — | — |
| x | libxfont | — | — |
| x | libxfont | — | — |
| x | libxfont | — | — |
| x | libxfont | — | — |
| x | libxfont | — | — |
| x | libxfont | — | — |
| x | libxfont | — | — |
| x | libxfont | — | — |
| x | libxfont | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5LOW
vendor_redhat7.5HIGH
vendor_ubuntu4.6MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
libXfont vulnerabilities
vendor_ubuntu·2014-05-14·CVSS 4.6
CVE-2014-0209 [MEDIUM] libXfont vulnerabilities
Title: libXfont vulnerabilities
Summary: Several security issues were fixed in libXfont.
Ilja van Sprundel discovered that libXfont incorrectly handled font
metadata file parsing. A local attacker could use this issue to cause
libXfont to crash, or possibly execute arbitrary code in order to gain
privileges. (CVE-2014-0209)
Ilja van Sprundel discovered that libXfont incorrectly handled X Font
Server replies. A malicious font server could return specially-crafted data
that could cause libXfont to crash, or possibly execute arbitrary code.
This issue only affected Ubuntu 10.04 LTS, Ubuntu 12.04 LTS, Ubuntu 12.10
and Ubuntu 13.10. (CVE-2014-0210, CVE-2014-0211)
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Red Hat
libXfont: unvalidated length fields when parsing xfs protocol replies
vendor_redhat·2014-05-13·CVSS 7.5
CVE-2014-0210 [HIGH] CWE-130 libXfont: unvalidated length fields when parsing xfs protocol replies
libXfont: unvalidated length fields when parsing xfs protocol replies
Multiple buffer overflows in X.Org libXfont before 1.4.8 and 1.4.9x before 1.4.99.901 allow remote font servers to execute arbitrary code via a crafted xfs protocol reply to the (1) _fs_recv_conn_setup, (2) fs_read_open_font, (3) fs_read_query_info, (4) fs_read_extent_info, (5) fs_read_glyphs, (6) fs_read_list, or (7) fs_read_list_info function.
Multiple out-of-bounds write flaws were found in the way libXfont parsed replies received from an X.org font server. A malicious X.org server could cause an X client to crash or, possibly, execute arbitrary code with the privileges of the X.Org server.
Debian
CVE-2014-0210: libxfont - Multiple buffer overflows in X.Org libXfont before 1.4.8 and 1.4.9x before 1.4.9...
vendor_debian·2014·CVSS 7.5
CVE-2014-0210 [HIGH] CVE-2014-0210: libxfont - Multiple buffer overflows in X.Org libXfont before 1.4.8 and 1.4.9x before 1.4.9...
Multiple buffer overflows in X.Org libXfont before 1.4.8 and 1.4.9x before 1.4.99.901 allow remote font servers to execute arbitrary code via a crafted xfs protocol reply to the (1) _fs_recv_conn_setup, (2) fs_read_open_font, (3) fs_read_query_info, (4) fs_read_extent_info, (5) fs_read_glyphs, (6) fs_read_list, or (7) fs_read_list_info function.
Scope: local
bookworm: resolved (fixed in 1:1.4.7-2)
bullseye: resolved (fixed in 1:1.4.7-2)
forky: resolved (fixed in 1:1.4.7-2)
sid: resolved (fixed in 1:1.4.7-2)
trixie: resolved (fixed in 1:1.4.7-2)
GHSA
GHSA-j6x2-5mpm-9564: Multiple buffer overflows in X
ghsa_unreviewed·2022-05-14
CVE-2014-0210 [HIGH] CWE-119 GHSA-j6x2-5mpm-9564: Multiple buffer overflows in X
Multiple buffer overflows in X.Org libXfont before 1.4.8 and 1.4.9x before 1.4.99.901 allow remote font servers to execute arbitrary code via a crafted xfs protocol reply to the (1) _fs_recv_conn_setup, (2) fs_read_open_font, (3) fs_read_query_info, (4) fs_read_extent_info, (5) fs_read_glyphs, (6) fs_read_list, or (7) fs_read_list_info function.
OSV
CVE-2014-0210: Multiple buffer overflows in X
osv·2014-05-15·CVSS 7.5
CVE-2014-0210 [HIGH] CVE-2014-0210: Multiple buffer overflows in X
Multiple buffer overflows in X.Org libXfont before 1.4.8 and 1.4.9x before 1.4.99.901 allow remote font servers to execute arbitrary code via a crafted xfs protocol reply to the (1) _fs_recv_conn_setup, (2) fs_read_open_font, (3) fs_read_query_info, (4) fs_read_extent_info, (5) fs_read_glyphs, (6) fs_read_list, or (7) fs_read_list_info function.
OSV
libxfont vulnerabilities
osv·2014-05-14·CVSS 4.6
CVE-2014-0209 [MEDIUM] libxfont vulnerabilities
libxfont vulnerabilities
Ilja van Sprundel discovered that libXfont incorrectly handled font
metadata file parsing. A local attacker could use this issue to cause
libXfont to crash, or possibly execute arbitrary code in order to gain
privileges. (CVE-2014-0209)
Ilja van Sprundel discovered that libXfont incorrectly handled X Font
Server replies. A malicious font server could return specially-crafted data
that could cause libXfont to crash, or possibly execute arbitrary code.
This issue only affected Ubuntu 10.04 LTS, Ubuntu 12.04 LTS, Ubuntu 12.10
and Ubuntu 13.10. (CVE-2014-0210, CVE-2014-0211)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-0211 CVE-2014-0210 CVE-2014-0209 libXfont: various flaws [fedora-all]
bugzilla·2014-05-13·CVSS 4.6
CVE-2014-0211 [MEDIUM] CVE-2014-0211 CVE-2014-0210 CVE-2014-0209 libXfont: various flaws [fedora-all]
CVE-2014-0211 CVE-2014-0210 CVE-2014-0209 libXfont: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, use the bodhi submission link noted
in the next comment(s). This will include the bug IDs of this tracking
bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
NOTE: this issue affects multiple
Bugzilla
CVE-2014-0210 libXfont: unvalidated length fields when parsing xfs protocol replies
bugzilla·2014-05-12·CVSS 7.5
CVE-2014-0210 [HIGH] CVE-2014-0210 libXfont: unvalidated length fields when parsing xfs protocol replies
CVE-2014-0210 libXfont: unvalidated length fields when parsing xfs protocol replies
When parsing replies received from the font server, these calls do not check that the lengths and/or indexes returned by the font server are within the size of the reply or the bounds of the memory allocated to store the data, so could write past the bounds of allocated memory when storing the returned data.
Affected functions: _fs_recv_conn_setup(), fs_read_open_font(),
fs_read_query_info(), fs_read_extent_info(), fs_read_glyphs(),
fs_read_list(), fs_read_list_info()
Acknowledgements:
Red Hat would like to thank the X.org project for reporting this issue. Upstream acknowledges Ilja van Sprundel as the original reporter of this issue.
Discussion:
Upstream commits:
http://cgit.freedesktop.org/xorg/lib
http://advisories.mageia.org/MGASA-2014-0278.htmlhttp://lists.opensuse.org/opensuse-updates/2014-05/msg00073.htmlhttp://lists.x.org/archives/xorg-announce/2014-May/002431.htmlhttp://rhn.redhat.com/errata/RHSA-2014-1893.htmlhttp://seclists.org/fulldisclosure/2014/Dec/23http://secunia.com/advisories/59154http://www.debian.org/security/2014/dsa-2927http://www.mandriva.com/security/advisories?name=MDVSA-2015:145http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.htmlhttp://www.securityfocus.com/archive/1/534161/100/0/threadedhttp://www.securityfocus.com/bid/67382http://www.ubuntu.com/usn/USN-2211-1http://www.vmware.com/security/advisories/VMSA-2014-0012.htmlhttp://advisories.mageia.org/MGASA-2014-0278.htmlhttp://lists.opensuse.org/opensuse-updates/2014-05/msg00073.htmlhttp://lists.x.org/archives/xorg-announce/2014-May/002431.htmlhttp://rhn.redhat.com/errata/RHSA-2014-1893.htmlhttp://seclists.org/fulldisclosure/2014/Dec/23http://secunia.com/advisories/59154http://www.debian.org/security/2014/dsa-2927http://www.mandriva.com/security/advisories?name=MDVSA-2015:145http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.htmlhttp://www.securityfocus.com/archive/1/534161/100/0/threadedhttp://www.securityfocus.com/bid/67382http://www.ubuntu.com/usn/USN-2211-1http://www.vmware.com/security/advisories/VMSA-2014-0012.html
2014-05-15
Published