Debian Long Term Support / LTS Security Information / 2017 / Security Information -- DLA-1126-1 libxfont

Debian Security Advisory

DLA-1126-1 libxfont -- LTS security update

Date Reported:

07 Oct 2017

Affected Packages:

libxfont

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2017-13720, CVE-2017-13722.

More information:

It was discovered that there two vulnerabilities the library providing font selection and rasterisation, libxfont:

• CVE-2017-13720

  If a pattern contained a '?' character any character in the string is skipped even if it was a '\0'. The rest of the matching then read invalid memory.

• CVE-2017-13722

  A malformed PCF file could cause the library to make reads from random heap memory that was behind the `strings` buffer, leading to an application crash or a information leak.

For Debian 7 Wheezy, this issue has been fixed in libxfont version 1:1.4.5-5+deb7u1.

We recommend that you upgrade your libxfont packages.