Re: Fwd: [ANNOUNCE] X.Org Security Advisory: More BDF file parsing issues in libXfont

[Alan Coopersmith <alan.coopersmith () oracle com>]

On 03/17/15 08:18 AM, Sven Schwedas wrote:
> On 2015-03-17 16:11, Alan Coopersmith wrote:
> > As libXfont is used by the X server to read font files, and an unprivileged
> > user with access to the X server can tell the X server to read a given font
> > file from a path of their choosing, these vulnerabilities have the
> > potential
>
> Can this be exploited by any current browser's web fonts implementation,
> or will this require local access? (Loading fonts from user-writeable
> ~/.fonts seems to be enabled by default.)

I am not aware of any current browser which meets any of these criteria,
much less all of them:
 - supports the ancient BDF bitmap font format in its webfonts, instead of
   scalable font formats such as OpenType, TrueType, or Postscript Type 1.
 - uses the old X server-side font technology instead of rendering on
   the client side, where it can do complex text layout & antialiasing
 - downloads a BDF font from a website, stores to a local directory,
   runs mkfontdir in that directory, and adds it to the X font path.

The primary exploit path X.Org is aware of these would be a local user who
can login to an X session already, running "xset +fp" to add a directory
under their control to the font path of that X server in order to execute
code with the privileges of the X server (often root).

--
        -Alan Coopersmith-              alan.coopersmith () oracle com
          X.Org Security Response Team - xorg-security () lists x org