X.Org Foundation develops the X-Window System, the standard window system for open source operating systems and devices. Most of the graphical user interfaces for Unix and Linux systems rely on it.
At the 30th Chaos Communication Congress (CCC) in Germany, Ilja van Sprundel, a security researcher gave the presentation titled "X11 Server security with being 'worse than it looks.'". He found more than 120 bugs in a few months.
In the presentation, he has presented a 23 year old Stack overflow vulnerability in X11 System that could lead to privilege escalation to root and affects all versions of the X Server back to X11R5.
Later today, X.Org Foundation released a security Advisory, states "A BDF font file containing a longer than expected string could overflow the buffer on the stack. Testing in X servers built with Stack Protector resulted in an immediate crash when reading a user-provided specially crafted font."
The flaw resides in a file at "libXfont/tree/src/bitmap/bdfread.c" and this LibXfont library used to handle fonts in all the X-servers, often working with root privilege. So a successful exploitation could lead to privilege escalation to root user.
The vulnerability assigned as CVE-2013-6462, was discovered using an automated cppcheck static analysis tool.
Platforms Affected:
- X.Org libXfont 1.2.1
- X.Org libXfont 1.2.2
- X.Org libXfont 1.3.1
- X.Org libXfont 1.4.3
X.Org Foundation has released a patch for it, includes new version libXfont 1.4.7.