Synopsis :

The remote Debian host is missing a security-related update.

Description :

A number of vulnerabilities have been discovered in XFree86. The
corrections are listed below with the identification from the Common
Vulnerabilities and Exposures (CVE) project :

- CAN-2004-0083 :
Buffer overflow in ReadFontAlias from dirfile.c of
XFree86 4.1.0 through 4.3.0 allows local users and
remote attackers to execute arbitrary code via a font
alias file (font.alias) with a long token, a different
vulnerability than CAN-2004-0084.

- CAN-2004-0084 :

Buffer overflow in the ReadFontAlias function in XFree86
4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered
function, allows local or remote authenticated users to
execute arbitrary code via a malformed entry in the font
alias (font.alias) file, a different vulnerability than
CAN-2004-0083.

- CAN-2004-0106 :

Miscellaneous additional flaws in XFree86's handling of
font files.

- CAN-2003-0690 :

xdm does not verify whether the pam_setcred function
call succeeds, which may allow attackers to gain root
privileges by triggering error conditions within PAM
modules, as demonstrated in certain configurations of
the MIT pam_krb5 module.

- CAN-2004-0093, CAN-2004-0094 :

Denial-of-service attacks against the X server by
clients using the GLX extension and Direct Rendering
Infrastructure are possible due to unchecked client data
(out-of-bounds array indexes [CAN-2004-0093] and integer
signedness errors [CAN-2004-0094]).

Exploitation of CAN-2004-0083, CAN-2004-0084, CAN-2004-0106,
CAN-2004-0093 and CAN-2004-0094 would require a connection to the X
server. By default, display managers in Debian start the X server with
a configuration which only accepts local connections, but if the
configuration is changed to allow remote connections, or X servers are
started by other means, then these bugs could be exploited remotely.
Since the X server usually runs with root privileges, these bugs could
potentially be exploited to gain root privileges.

No attack vector for CAN-2003-0690 is known at this time.

See also :

http://www.debian.org/security/2004/dsa-443

Solution :

For the stable distribution (woody) these problems have been fixed in
version 4.1.0-16woody3.

We recommend that you update your xfree86 package.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.3
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true