Another X.Org Security Advisory Disclosed Today

Written by Michael Larabel in X.Org on 17 March 2015 at 11:51 AM EDT. 20 Comments
Security researcher Ilja van Sprundel previously characterized the X.Org security scene as being a disaster. This researcher at IOActive has previously reported a large number of X.Org security issues and today is yet another advisory thanks to Ilja.

This newest X.Org Security Advisory is for another long-standing issue that dates back to its introduction in X11R5. If there's any good out of it, this advisory just affects the libXfont library that no longer is too widely-used, albeit still developed.

This libXfont issue could allow attackers to execute privileges with the same rights as the X.Org Server, which is generally root. The advisory reads:
Ilja van Sprundel, a security researcher with IOActive, has discovered an issue in the parsing of BDF font files by libXfont. Additional testing by Alan Coopersmith and William Robinet with the American Fuzzy Lop (afl) tool uncovered two more issues in the parsing of BDF font files.

As libXfont is used by the X server to read font files, and an unprivileged user with access to the X server can tell the X server to read a given font file from a path of their choosing, these vulnerabilities have the potential to allow unprivileged users to run code with the privileges of the X server (often root access).
The resulting CVEs are "CVE-2015-1802: bdfReadProperties: property count needs range check", "CVE-2015-1803: bdfReadCharacters: bailout if a char's bitmap cannot be read", and "CVE-2015-1804: bdfReadCharacters: ensure metrics fit into xCharInfo struct."
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via

Popular News This Week