Alan Coopersmith
2011-Aug-10 23:05 UTC
X.Org security advisory: libXfont LZW decompression heap corruption
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
X.Org Security advisory, August 10, 2011
libXfont LZW decompression heap corruption
CVE ID: CVE-2011-2895
libXfont contains a compress / LZW decompresser implementation based
on the original BSD compress code. A specially crafted LZW stream can
cause a buffer overflow in an application using libXfont that is used
to open untrusted font files, such as the X server (often run with
elevated privileges) when a client adds a local directory to the font
path. Successful exploitation may possibly lead to a local privilege
escalation.
Further details are given in the original bug report at:
https://bugzilla.redhat.com/show_bug.cgi?id=725760
Affected versions
- -----------------
libXfont up to, and including, 1.4.3
X11R7.6 (latest release of the full window system) includes libXfont 1.4.3
Fix
- ---
This issue has been fixed with git commit
d11ee5886e9d9ec610051a206b135a4cdc1e09a0
http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d11ee5886e9d9ec610051a206b135a4cdc1e09a0
A fix of this vulnerability is included in libXfont 1.4.4
The X.Org Foundation thanks Tomas Hoger of the Red Hat Security Response Team
for bringing this issue to our attention and supplying the fix.
- --
-Alan Coopersmith- alan.coopersmith at oracle.com
Oracle Solaris Platform Engineering: X Window System
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (SunOS)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5DDqMACgkQovueCB8tEw70twCginYE2QWdIo4qTgnjAYlnQJno
locAniP0eGD8+vhdRVS9a+MlHZll/Jqh
=2ENM
-----END PGP SIGNATURE-----