Advisories » MGASA-2016-0287

Updated fontconfig packages fix security vulnerability

Publication date: 31 Aug 2016
Modification date: 31 Aug 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-5384

Description

Tobias Stoeckmann discovered that cache files are insufficiently
validated in fontconfig, a generic font configuration library. An
attacker can trigger arbitrary free() calls, which in turn allows
double free attacks and therefore arbitrary code execution. In
combination with setuid binaries using crafted cache files, this
could allow privilege escalation (CVE-2016-5384).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=19157
• https://lists.debian.org/debian-security-announce/2016/msg00222.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5384

SRPMS

5/core

• fontconfig-2.11.1-4.1.mga5