Debian Security Advisory

DLA-1126-1 libxfont -- LTS security update

Date Reported:
07 Oct 2017
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2017-13720, CVE-2017-13722.
More information:

It was discovered that there two vulnerabilities the library providing font selection and rasterisation, libxfont:

  • CVE-2017-13720

    If a pattern contained a '?' character any character in the string is skipped even if it was a '\0'. The rest of the matching then read invalid memory.

  • CVE-2017-13722

    A malformed PCF file could cause the library to make reads from random heap memory that was behind the `strings` buffer, leading to an application crash or a information leak.

For Debian 7 Wheezy, this issue has been fixed in libxfont version 1:1.4.5-5+deb7u1.

We recommend that you upgrade your libxfont packages.