| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.2 | $0-$5k | 0.00 |
Summary
A vulnerability, which was classified as problematic, has been found in X.org libXfont. The affected element is the function lexAlias. The manipulation leads to numeric error.
This vulnerability is uniquely identified as CVE-2014-0209. No exploit exists.
It is suggested to install a patch to address this issue.
Details
A vulnerability was found in X.org libXfont and classified as problematic. This issue affects the function lexAlias. The manipulation with an unknown input leads to a numeric error vulnerability. Using CWE to declare the problem leads to CWE-189. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
Multiple integer overflows in the (1) FontFileAddEntry and (2) lexAlias functions in X.Org libXfont before 1.4.8 and 1.4.9x before 1.4.99.901 might allow local users to gain privileges by adding a directory with a large fonts.dir or fonts.alias file to the font path, which triggers a heap-based buffer overflow, related to metadata.
The weakness was disclosed 05/12/2014 by Huzaifa S. Sidhpurwala as Bug 1096593 as confirmed bug report (Bugzilla). The advisory is shared at bugzilla.redhat.com. The identification of this vulnerability is CVE-2014-0209 since 12/03/2013. An attack has to be approached locally. No form of authentication is needed for a successful exploitation. Technical details are known, but no exploit is available. The advisory points out:
lexAlias() reads from a file in a loop. It does this by starting with a 64 byte buffer. If that size limit is hit, it does a realloc of the buffer size << 1, basically doubling the needed length every time the length limit is hit. Eventually, this will shift out to 0 (for a length of ~4gig), and that length will be passed on to realloc(). A length of 0 (with a valid pointer) causes realloc to free the buffer on most POSIX platforms, but the caller will still have a pointer to it, leading to use after free issues.
The vulnerability scanner Nessus provides a plugin with the ID 74463 (SuSE 11.3 Security Update : xorg-x11-libs (SAT Patch Number 9272)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family SuSE Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 350325 (Amazon Linux Security Advisory for libXfont: ALAS-2014-404).
Applying a patch is able to eliminate this problem. The bugfix is ready for download at cgit.freedesktop.org. A possible mitigation has been published 1 days after the disclosure of the vulnerability. The vulnerability will be addressed with the following lines of code:
if (tokenSize >= (INT_MAX >> 2)) /* Stop before we overflow */ return EALLOC;
The vulnerability is also documented in the databases at X-Force (93144), Tenable (74463), SecurityFocus (BID 67382†), OSVDB (106975†) and Secunia (SA58474†). The entries VDB-13218, VDB-13219, VDB-67096 and VDB-67083 are pretty similar. If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Product
Vendor
Name
Version
- 1.2.3
- 1.2.4
- 1.2.5
- 1.2.6
- 1.2.7
- 1.2.8
- 1.2.9
- 1.3.0
- 1.3.1
- 1.3.2
- 1.3.3
- 1.3.4
- 1.4.0
- 1.4.1
- 1.4.2
- 1.4.3
- 1.4.4
- 1.4.5
- 1.4.6
- 1.4.7
- 1.4.99
License
Website
- Vendor: https://www.x.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.9VulDB Meta Temp Score: 5.2
VulDB Base Score: 5.9
VulDB Temp Score: 5.2
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Numeric errorCWE: CWE-189
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: No
Availability: 🔍
Status: Unproven
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 74463
Nessus Name: SuSE 11.3 Security Update : xorg-x11-libs (SAT Patch Number 9272)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Port: 🔍
OpenVAS ID: 702927
OpenVAS Name: Debian Security Advisory DSA 2927-1 (libxfont - security update
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Patch: cgit.freedesktop.org
Timeline
12/03/2013 🔍05/12/2014 🔍
05/12/2014 🔍
05/12/2014 🔍
05/13/2014 🔍
05/14/2014 🔍
05/15/2014 🔍
05/15/2014 🔍
05/16/2014 🔍
06/11/2014 🔍
06/16/2014 🔍
06/19/2021 🔍
Sources
Vendor: x.orgAdvisory: Bug 1096593
Researcher: Huzaifa S. Sidhpurwala
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2014-0209 (🔍)
GCVE (CVE): GCVE-0-2014-0209
GCVE (VulDB): GCVE-100-13217
OVAL: 🔍
X-Force: 93144 - X.Org libXfont lexAlias() buffer overflow, Medium Risk
SecurityFocus: 67382 - X.Org libXfont Multiple Integer Overflow and Memory Corruption Vulnerabilities
Secunia: 58474 - X.Org libXfont Multiple Vulnerabilities, Less Critical
OSVDB: 106975
SecurityTracker: 1030238 - libXfont Buffer Overflows Let Remote and Local Users Execute Arbitrary Code
Vulnerability Center: 44999 - X.Org LibXfont before 1.4.8 and 1.4.9.x before 1.4.99.901 Local Privilege Escalation Vulnerability, Medium
See also: 🔍
Entry
Created: 05/16/2014 16:18Updated: 06/19/2021 15:43
Changes: 05/16/2014 16:18 (90), 05/31/2017 08:45 (6), 06/19/2021 15:43 (3)
Complete: 🔍
Cache ID: 216:FCB:103
No comments yet. Languages: en.
Please log in to comment.