Advisories ยป MGASA-2017-0373

Updated libxfont packages fix security vulnerabilities

Publication date: 18 Oct 2017
Modification date: 18 Oct 2017
Type: security
Affected Mageia releases : 5 , 6
CVE: CVE-2017-13720 , CVE-2017-13722

Description

In the PatternMatch function in fontfile/fontdir.c in libXfont through
1.5.2 and 2.x before 2.0.2, an attacker with access to an X connection
can cause a buffer over-read during pattern matching of fonts, leading
to information disclosure or a crash (denial of service). This occurs
because '\0' characters are incorrectly skipped in situations involving
? characters. (CVE-2017-13720)

In the pcfGetProperties function in bitmap/pcfread.c in libXfont through
1.5.2 and 2.x before 2.0.2, a missing boundary check (for PCF files)
could be used by local attackers authenticated to an Xserver for a
buffer over-read, for information disclosure or a crash of the X server.
(CVE-2017-13722)
                

References

SRPMS

5/core

6/core