|
|
|
|
| |
| When using the konqueror web browser and inputting around 9000+ A's (or whatever) into a search box (for instance www.yahoo.com's web search box) - it is possible to crash the whole X environment. Since the 9000x'A' can be "Forced" as an input on the user (by using JavaScript, default values, etc), this would allow a remote attacker to cause the program to crash remotely. |
| |
Credit:
The information has been provided by scott, John Scimone, and Matthieu Herrb.
|
| |
Vulnerable systems:
K Desktop version 2.1.2 with XFree86 version prior to 4.1.0
Immune systems:
XFree86 version above 4.1.0
Example:
By including the following HTML code into an existing file the vulnerability can be verified:
<input type="text" value="(9000 A's)">
You will need to place a JavaScript code to forcefully cause the user to submit, i.e. onload = document.forms[0].submit()
Since the vulnerability only manifests itself when the form is submitted.
Solution:
Apply the below provided patch.
Patch:
Index: fbglyph.c
===================================================================
RCS file: /xf86/xc/programs/Xserver/fb/fbglyph.c,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- fbglyph.c 2001/05/29 04:54:09 1.11
+++ fbglyph.c 2001/09/07 15:16:00 1.12
@@ -34,9 +34,19 @@
int height)
{
BoxRec box;
+ BoxPtr pExtents = REGION_EXTENTS (0, pRegion);
- if (x + width < 0) return FALSE;
- if (y + height < 0) return FALSE;
+ /*
+ * Check extents by hand to avoid 16 bit overflows
+ */
+ if (x < (int) pExtents->x1)
+ return FALSE;
+ if ((int) pExtents->x2 < x + width)
+ return FALSE;
+ if (y < (int) pExtents->y1)
+ return FALSE;
+ if ((int) pExtents->y2 < y + height)
+ return FALSE;
box.x1 = x;
box.x2 = x + width;
box.y1 = y;
@@ -261,10 +271,10 @@
FbBits,
int,
int);
- FbBits *dst;
- FbStride dstStride;
- int dstBpp;
- int dstXoff, dstYoff;
+ FbBits *dst = 0;
+ FbStride dstStride = 0;
+ int dstBpp = 0;
+ int dstXoff = 0, dstYoff = 0;
glyph = 0;
if (pGC->fillStyle == FillSolid && pPriv->and == 0)
@@ -352,10 +362,10 @@
FbBits,
int,
int);
- FbBits *dst;
- FbStride dstStride;
- int dstBpp;
- int dstXoff, dstYoff;
+ FbBits *dst = 0;
+ FbStride dstStride = 0;
+ int dstBpp = 0;
+ int dstXoff = 0, dstYoff = 0;
glyph = 0;
if (pPriv->and == 0)
|
|
|
|
|
