-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2013-010 ================================= Topic: Use after free in Xserver handling of ImageText requests Version: NetBSD-current: source prior to Oct 8th, 2013 NetBSD 6.1 - 6.1.2: affected NetBSD 6.0 - 6.0.3: affected NetBSD 5.1 - 5.1.2: affected NetBSD 5.2: affected Severity: DoS, potential Code Execution Fixed: NetBSD-current: Oct 8th, 2013 NetBSD-6-0 branch: Oct 12th, 2013 NetBSD-6-1 branch: Oct 12th, 2013 NetBSD-6 branch: Oct 12th, 2013 NetBSD-5-2 branch: Oct 13th, 2013 NetBSD-5-1 branch: Oct 13th, 2013 NetBSD-5 branch: Oct 13th, 2013 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== An authenticated X11 client can cause an X11 server to use memory after it was freed, potentially leading to a crash and/or memory corruption. This vulnerability has been assigned CVE-2013-4396. Technical Details ================= A use-after-free vulnerability in the doImageText function in dix/dixfonts.c in the X server allows remote authenticated users to cause a denial of service or to conceivably execute arbitrary code via a crafted ImageText request that triggers memory-allocation failure. The error was present in X11R6, and thus is in both XFree and Xorg. Solutions and Workarounds ========================= Workaround: don't let untrustworthy clients (i.e. both other networked servers and clients as well as graphical programs) attach to your X11 server. Solutions: - - Update the Xserver from a daily build later than the fix date: fetch from http://nyftp.NetBSD.org/pub/NetBSD-daily//// the file binary/sets/xserver.tgz cd / && tar xzpf - - rebuild your system with the fix applied: Files to fix are: XFree: xsrc/xfree/xc/programs/Xserver/dix/dixfonts.c XOrg: xsrc/external/mit/xorg-server/dist/dix/dixfonts.c Xorg fixed versions are: HEAD 1.2 netbsd-6 1.1.1.5.2.1 netbsd-6-1 1.1.1.5.6.1 netbsd-6-0 1.1.1.5.4.1 netbsd-5 1.1.1.1.2.2 netbsd-5-2 1.1.1.1.2.1.4.1 netbsd-5-1 1.1.1.1.2.1.2.1 Xfree fixed versions are: HEAD 1.4 netbsd-6 1.3.2.1 netbsd-6-1 1.3.6.1 netbsd-6-0 1.3.4.1 netbsd-5 1.2.8.1 netbsd-5-2 1.2.14.1 netbsd-5-1 1.2.12.1 Don't forget the -x argument for build.sh. Thanks To ========= Thanks to X.Org for their advisory, which this one liberally derives from. Revision History ================ 2013-11-13 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2013-010.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2013, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2013-010.txt,v 1.2 2013/11/13 00:44:05 tonnerre Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (NetBSD) iQIcBAEBAgAGBQJSgstiAAoJEAZJc6xMSnBu9IcP/AhWZhOeFqW+InE8k3AmM9Lk ZagmXSi7WUt9TQq5Z8/MFGCFpT/rbfsXJmo0t2b6yJZXc7u5zAn689QMU7Dapqnl SwXDLwYnGwjfQW7D+0XwBqBZ/u5Qeg4q0jAgydMYaKOt0R6nULJR+y4I3wgsUpcT mHogImFBd2Czhg3aIzmyYa/81oK6MRsNw3hHM+rYGldH5ulb3h3qbl/7nCCZMqLW PojD9jMpzj/qfneNSDSYPA2pb1UbkPAXzdynw8pvdd2kKFspj/Li/fcXE4Pilj0M 5S+e69kK/dPl6JPjcH4FGzVVILZzJYL7JWoMJbi0xP5O9zLBJm0uk0VV1CyN5Awz 7mimttl3Ee+S5YcRi6Dp1yDI/0va9QTj4PBLMpJUmPSweMdftwZzzIwifMdyqwCZ KiGVHR2MtKyuHiBy2dN6FYvle1hOVOrSWb5fQ8Grahi7/2anITCC5g+q0Br82Ujl YkitMbSAyB7v4KXGBjUJ99hEAFFHWvansZKT2wZxzCKeY/rx+kGhwbzUmlT/y5U0 b3XmwhpXllTeaOVlY75TROtrJUcOLo7FfoP1lcMyBsr/1BtCOtL3lQAhAzI43l0D HAx8DwBf79/tBgBNBc7w8JLZO5ZViycyWoTqcRE1b4TN7ODZMCrKvhAnlONUTDU7 9w9CJUE8bWxllg8Cfuhf =WHDD -----END PGP SIGNATURE-----