Debian Security Advisory
DLA-1126-1 libxfont -- LTS security update
- Date Reported:
- 07 Oct 2017
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2017-13720, CVE-2017-13722.
- More information:
It was discovered that there two vulnerabilities the library providing font selection and rasterisation, libxfont:
If a pattern contained a '?' character any character in the string is skipped even if it was a '\0'. The rest of the matching then read invalid memory.
A malformed PCF file could cause the library to make reads from random heap memory that was behind the `strings` buffer, leading to an application crash or a information leak.
For Debian 7
Wheezy, this issue has been fixed in libxfont version 1:1.4.5-5+deb7u1.
We recommend that you upgrade your libxfont packages.