Child pages
  • CERT Advisory CA-2002-34 Buffer Overflow in Solaris X Window Font Service

Pages in the Historical section of this site are provided for historical purposes, they are no longer maintained. Links may not work.

Skip to end of metadata
Go to start of metadata
Original release date: November 25, 2002
Last revised: Tue Dec 17 08:17:32 EST 2002
Source: CERT/CC

A complete revision history can be found at the end of this file.

Systems Affected

  • Sun Microsystems Solaris 2.5.1 (Sparc/Intel)
  • Sun Microsystems Solaris 2.6 (Sparc/Intel)
  • Sun Microsystems Solaris 7 (Sparc/Intel)
  • Sun Microsystems Solaris 8 (Sparc/Intel)
  • Sun Microsystems Solaris 9 (Sparc)


The Solaris X Window Font Service (XFS) daemon ( contains a remotely exploitable buffer overflow vulnerability that could allow an attacker to execute arbitrary code or cause a denial of service.

I. Description

A remotely exploitable buffer overflow vulnerability exists in the Solaris X Window Font Service (XFS) daemon ( Exploitation of this vulnerability can lead to arbitrary code execution on a vulnerable Solaris system. This vulnerability was discovered by ISS X-Force.

The Solaris X Window Font Service (XFS) serves font files to clients. Sun describes the XFS service as follows:

The X Font Server is a simple TCP/IP-based service that serves font files to its clients. Clients connect to the server to request a font set, and the server reads the font files off the disk and serves them to the clients. The X Font Server daemon consists of a server binary /usr/openwin/bin/xfs.
The XFS daemon is installed and running by default on all versions of the Solaris operating system. Further information about this vulnerability may be found in VU#312313.

This vulnerability is also being referred to as CAN-2002-1317 by CVE.

Note this vulnerability is in the X Window Font Server, and not the filesystem of a similar name.

II. Impact

A remote attacker can execute arbitrary code with the privileges of the daemon (typically nobody) or cause a denial of service by crashing the service.

III. Solution

Apply a patch from your vendor

Appendix A contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Please contact your vendor directly.

Disable vulnerable service

Until patches can be applied, you may wish to disable the XFS daemon ( As a best practice, the CERT/CC recommends disabling all services that are not explicitly required. On a typical Solaris system, it should be possible to disable the daemon by commenting out the relevant entries in /etc/inetd.conf and then restarting the inetd process.


Block access to port 7100/TCP at your network perimeter. Note that this will not protect vulnerable hosts within your network perimeter.

Appendix A. - Vendor Information

Hewlett-Packard Company

Originally issued: 4 Dec 2002

reference id:  CERT CA-2002-34, SSRT2429
HP Published Security Bulletin HPSBUX0212-228 with solutions for HP 9000 Series 700 and 800 running HP-UX 10.10, 10.20, 10.24, 11.00, 11.04, 11.11, and 11.22
This bulletin is available from the HP IT Resource Center page at:  "Maintenance and Support" then "Support Information Digests" and then "hp security bulletins archive" search for bulletin HPSBUX0212-228.


HP Tru64 UNIX, HP NonStop Servers, HP openMVS


The AIX operating system is vulnerable to the xfs issues discussed in CA-2002-34 in releases 4.3.3, 5.1.0 and 5.2.0.

IBM provides the following official fixes:

     APAR number for AIX 4.3.3: IY37888 (available approx. 01/29/03)
     APAR number for AIX 5.1.0: IY37886 (available approx. 04/28/03)
     APAR number for AIX 5.2.0: IY37889 (available approx. 04/28/03)

A temporary patch is available through an efix package which can be found at

Microsoft Corporation

The component in question is not used in any Microsoft product.


NetBSD ships the xfs from XFree86, though its not on or used by default.

Nortel Networks

Nortel Networks products and solutions using the affected Sun Solaris operating systems may utilize the XFS daemon; it is installed and running by default on all versions of the Solaris operating system. Nortel Networks recommends either disabling this feature or, if XFS must be run, following CERT/CC's recommendations to block access to Port 7100/TCP at the network perimeter. Nortel Networks also recommends following the mitigating practices in Sun Microsystems Inc.'s Alert Notification.

For more information please contact Nortel at:

North America: 1-8004NORTEL or 1-800-466-7835
Europe, Middle East and Africa:00800 8008 9009, or +44 (0) 870 9079009

Contacts for other regions are available at


The xfs daemon in OpenBSD versions up to and including 2.6 is vulnerable. OpenBSD 2.7 and later is not.

Red Hat Inc.

Red Hat Linux is not affected by this vulnerability.


We're not vulnerable to this.

Sun Microsystems

The Solaris X font server (xfs(1)) is affected by VU#312313 in the following supported versions of Solaris:

Solaris 2.6
Solaris 7
Solaris 8
Solaris 9

Patches are being generated for all of the above releases.  Sun will be publishing a Sun Alert for this issue at the following location shortly:


The patches will be available from:


We are not affected.

Appendix B. - References

  1. ISS X-Force Security Advisory: Solaris Remote Compromise Vulnerability -

  2. Sun Cluster 3.0 U1 Data Services Developer's Guide, Chapter 6: Sample DSDL Resource Type Implementation -

  3. CERT/CC Vulnerability Note: VU#312313 -

  4. CVE reference number CAN-2002-1317. Information available at

Internet Security Systems publicly reported this vulnerability.

Authors: Ian A. Finlay and Shawn V. Hernan.

Copyright 2002 Carnegie Mellon University.

Revision History

November 25, 2002: Initial release
November 25, 2002: Added vendor statement for Hewlett-Packard Company
November 25, 2002: Added vendor statement for Microsoft Corporation
December 02, 2002: Added vendor statement for SuSE
December 04, 2002: Added vendor statement for Red Hat Inc.
December 05, 2002: Revised vendor statement for OpenBSD
December 06, 2002: Revised vendor statement Hewlett-Packard Company
December 11, 2002: Added vendor statement for IBM (Note IBM provided their statement on December 5, 2002)
December 17, 2002: Added vendor statement for Nortel Networks

  • No labels