GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Wed Sep 13, 2006 5:26 pm Post subject: [ GLSA 200609-07 ] LibXfont, monolithic X.org: Multiple inte |
 |
|
Gentoo Linux Security Advisory
Title: LibXfont, monolithic X.org: Multiple integer overflows (GLSA 200609-07)
Severity: high
Exploitable: local and remote
Date: September 13, 2006
Bug(s): #145513
ID: 200609-07
Synopsis
Some buffer overflows were discovered in the CID font parser, potentially
resulting in the execution of arbitrary code with elevated privileges.
Background
libXfont is the X.Org Xfont library, some parts are based on the
FreeType code base.
Affected Packages
Package: x11-libs/libXfont
Vulnerable: < 1.2.1
Unaffected: >= 1.2.1
Architectures: All supported architectures
Package: x11-base/xorg-x11
Vulnerable: < 7.0
Unaffected: >= 7.0
Architectures: All supported architectures
Description
Several integer overflows have been found in the CID font parser.
Impact
A remote attacker could exploit this vulnerability by enticing a user
to load a malicious font file resulting in the execution of arbitrary
code with the permissions of the user running the X server which
typically is the root user. A local user could exploit this
vulnerability to gain elevated privileges.
Workaround
Disable CID-encoded Type 1 fonts by removing the "type1" module and
replacing it with the "freetype" module in xorg.conf.
Resolution
All libXfont users should upgrade to the latest version:
| Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=x11-libs/libXfont-1.2.1" |
All monolithic X.org users are advised to migrate to modular X.org.
References
CVE-2006-3739
CVE-2006-3740
Last edited by GLSA on Mon Nov 26, 2012 4:22 am; edited 2 times in total |
|
News & Announcements
