[gentoo-announce] [ GLSA 201801-10 ] LibXfont, LibXfont2: Arbitrary file access - gentoo-announce

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201801-10 ] LibXfont, LibXfont2: Arbitrary file access
Date:	Tue, 09 Jan 2018 02:06:09
Message-Id:	`892d1e0e-42f0-2118-d0cc-761da6d4f3b8@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201801-10

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: LibXfont, LibXfont2: Arbitrary file access

9

     Date: January 08, 2018

10

     Bugs: #639064

11

       ID: 201801-10

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

A vulnerability has been found in LibXfont and LibXfont2 which may

19

allow for arbitrary file access.

20

21

Background

22

==========

23

24

X.Org Xfont library.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package              /     Vulnerable     /            Unaffected

31

    -------------------------------------------------------------------

32

  1  x11-libs/libXfont            < 1.5.4                    >= 1.5.4

33

  2  x11-libs/libXfont2           < 2.0.3                    >= 2.0.3

34

    -------------------------------------------------------------------

35

     2 affected packages

36

37

Description

38

===========

39

40

It was discovered that libXfont incorrectly followed symlinks when

41

opening font files.

42

43

Impact

44

======

45

46

A local unprivileged user could use this flaw to cause the X server to

47

access arbitrary files, including special device files.

48

49

Workaround

50

==========

51

52

There is no known workaround at this time.

53

54

Resolution

55

==========

56

57

All LibXfont users should upgrade to the latest version:

58

59

  # emerge --sync

60

  # emerge --ask --oneshot --verbose ">=x11-libs/libXfont-1.5.4"

61

62

All LibXfont2 users should upgrade to the latest version:

63

64

  # emerge --sync

65

  # emerge --ask --oneshot --verbose ">=x11-libs/libXfont2-2.0.3"

66

67

References

68

==========

69

70

[ 1 ] CVE-2017-16611

71

      https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16611

72

73

Availability

74

============

75

76

This GLSA and any updates to it are available for viewing at

77

the Gentoo Security Website:

78

79

 https://security.gentoo.org/glsa/201801-10

80

81

Concerns?

82

=========

83

84

Security is a primary focus of Gentoo Linux and ensuring the

85

confidentiality and security of our users' machines is of utmost

86

importance to us. Any security concerns should be addressed to

87

security@g.o or alternatively, you may file a bug at

88

https://bugs.gentoo.org.

89

90

License

91

=======

92

93

Copyright 2018 Gentoo Foundation, Inc; referenced text

94

belongs to its owner(s).

95

96

The contents of this document are licensed under the

97

Creative Commons - Attribution / Share Alike license.

98

99

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201801-10
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: LibXfont, LibXfont2: Arbitrary file access
9	Date: January 08, 2018
10	Bugs: #639064
11	ID: 201801-10
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	A vulnerability has been found in LibXfont and LibXfont2 which may
19	allow for arbitrary file access.
20
21	Background
22	==========
23
24	X.Org Xfont library.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 x11-libs/libXfont < 1.5.4 >= 1.5.4
33	2 x11-libs/libXfont2 < 2.0.3 >= 2.0.3
34	-------------------------------------------------------------------
35	2 affected packages
36
37	Description
38	===========
39
40	It was discovered that libXfont incorrectly followed symlinks when
41	opening font files.
42
43	Impact
44	======
45
46	A local unprivileged user could use this flaw to cause the X server to
47	access arbitrary files, including special device files.
48
49	Workaround
50	==========
51
52	There is no known workaround at this time.
53
54	Resolution
55	==========
56
57	All LibXfont users should upgrade to the latest version:
58
59	# emerge --sync
60	# emerge --ask --oneshot --verbose ">=x11-libs/libXfont-1.5.4"
61
62	All LibXfont2 users should upgrade to the latest version:
63
64	# emerge --sync
65	# emerge --ask --oneshot --verbose ">=x11-libs/libXfont2-2.0.3"
66
67	References
68	==========
69
70	[ 1 ] CVE-2017-16611
71	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16611
72
73	Availability
74	============
75
76	This GLSA and any updates to it are available for viewing at
77	the Gentoo Security Website:
78
79	https://security.gentoo.org/glsa/201801-10
80
81	Concerns?
82	=========
83
84	Security is a primary focus of Gentoo Linux and ensuring the
85	confidentiality and security of our users' machines is of utmost
86	importance to us. Any security concerns should be addressed to
87	security@g.o or alternatively, you may file a bug at
88	https://bugs.gentoo.org.
89
90	License
91	=======
92
93	Copyright 2018 Gentoo Foundation, Inc; referenced text
94	belongs to its owner(s).
95
96	The contents of this document are licensed under the
97	Creative Commons - Attribution / Share Alike license.
98
99	http://creativecommons.org/licenses/by-sa/2.5