MGASA-2017-0373

Source
https://advisories.mageia.org/MGASA-2017-0373.html
Import Source
https://advisories.mageia.org/MGASA-2017-0373.json
JSON Data
https://api.test.osv.dev/v1/vulns/MGASA-2017-0373
Related
Published
2017-10-18T20:19:34Z
Modified
2017-10-18T19:58:21Z
Summary
Updated libxfont packages fix security vulnerabilities
Details

In the PatternMatch function in fontfile/fontdir.c in libXfont through 1.5.2 and 2.x before 2.0.2, an attacker with access to an X connection can cause a buffer over-read during pattern matching of fonts, leading to information disclosure or a crash (denial of service). This occurs because '\0' characters are incorrectly skipped in situations involving ? characters. (CVE-2017-13720)

In the pcfGetProperties function in bitmap/pcfread.c in libXfont through 1.5.2 and 2.x before 2.0.2, a missing boundary check (for PCF files) could be used by local attackers authenticated to an Xserver for a buffer over-read, for information disclosure or a crash of the X server. (CVE-2017-13722)

References
Credits

Affected packages

Mageia:6 / libxfont

Package

Name
libxfont
Purl
pkg:rpm/mageia/libxfont?distro=mageia-6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.5.2-1.1.mga6

Ecosystem specific

{
    "section": "core"
}

Mageia:6 / libxfont2

Package

Name
libxfont2
Purl
pkg:rpm/mageia/libxfont2?distro=mageia-6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.1-4.1.mga6

Ecosystem specific

{
    "section": "core"
}

Mageia:5 / libxfont

Package

Name
libxfont
Purl
pkg:rpm/mageia/libxfont?distro=mageia-5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.5.1-1.1.mga5

Ecosystem specific

{
    "section": "core"
}