A number of vulnerabilities have been discovered in XFree86. The corrections are listed below with the identification from the Common Vulnerabilities and Exposures (CVE) project: CAN-2004-0083: Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CAN-2004-0084. CAN-2004-0084: Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CAN-2004-0083. CAN-2004-0106: Miscellaneous additional flaws in XFree86's handling of font files. CAN-2003-0690: xdm does not verify whether the pam_setcred function call succeeds, which may allow attackers to gain root privileges by triggering error conditions within PAM modules, as demonstrated in certain configurations of the MIT pam_krb5 module. CAN-2004-0093, CAN-2004-0094: Denial-of-service attacks against the X server by clients using the GLX extension and Direct Rendering Infrastructure are possible due to unchecked client data (out-of-bounds array indexes [CAN-2004-0093] and integer signedness errors [CAN-2004-0094]). Exploitation of CAN-2004-0083, CAN-2004-0084, CAN-2004-0106, CAN-2004-0093 and CAN-2004-0094 would require a connection to the X server. By default, display managers in Debian start the X server with a configuration which only accepts local connections, but if the configuration is changed to allow remote connections, or X servers are started by other means, then these bugs could be exploited remotely. Since the X server usually runs with root privileges, these bugs could potentially be exploited to gain root privileges. No attack vector for CAN-2003-0690 is known at this time. For the stable distribution (woody) these problems have been fixed in version 4.1.0-16woody3. For the unstable distribution (sid) these problems have been fixed in version 4.3.0-2. We recommend that you update your xfree86 package.
A number of vulnerabilities have been discovered in XFree86. The corrections are listed below with the identification from the Common Vulnerabilities and Exposures (CVE) project:
Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CAN-2004-0084.
Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CAN-2004-0083.
Miscellaneous additional flaws in XFree86's handling of font files.
xdm does not verify whether the pam_setcred function call succeeds, which may allow attackers to gain root privileges by triggering error conditions within PAM modules, as demonstrated in certain configurations of the MIT pam_krb5 module.
Denial-of-service attacks against the X server by clients using the GLX extension and Direct Rendering Infrastructure are possible due to unchecked client data (out-of-bounds array indexes [CAN-2004-0093] and integer signedness errors [CAN-2004-0094]).
Exploitation of CAN-2004-0083, CAN-2004-0084, CAN-2004-0106, CAN-2004-0093 and CAN-2004-0094 would require a connection to the X server. By default, display managers in Debian start the X server with a configuration which only accepts local connections, but if the configuration is changed to allow remote connections, or X servers are started by other means, then these bugs could be exploited remotely. Since the X server usually runs with root privileges, these bugs could potentially be exploited to gain root privileges.
No attack vector for CAN-2003-0690 is known at this time.
For the stable distribution (woody) these problems have been fixed in version 4.1.0-16woody3.
For the unstable distribution (sid) these problems have been fixed in version 4.3.0-2.
We recommend that you update your xfree86 package.
MD5 checksums of the listed files are available in the original advisory.