[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1126-1] libxfont security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : libxfont
Version        : 1:1.4.5-5+deb7u1
CVE IDs        : CVE-2017-13720 CVE-2017-13722

It was discovered that there two vulnerabilities the library providing
font selection and rasterisation, libxfont:

  * CVE-2017-13720: If a pattern contained a '?' character any character
    in the string is skipped even if it was a '\0'. The rest of the
    matching then read invalid memory.

  * CVE-2017-13722: A malformed PCF file could cause the library to make
    reads from random heap memory that was behind the `strings` buffer,
    leading to an application crash or a information leak.

For Debian 7 "Wheezy", this issue has been fixed in libxfont version
1:1.4.5-5+deb7u1.

We recommend that you upgrade your libxfont packages.


Regards,

- -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlnYmRMACgkQHpU+J9Qx
HlhKoA/9HVqQ9ior9NCXiOolSwFJhcBitRG3NMZ/6advruYb4xCq9KXeMbgGVoLO
hZhI0+olyvhCw56CVqoFFaYeIGnpJ2mgsN7Z+4TYRKPKm4u9suz745WrxPEUeQta
FalRwl43mzsEWEJxeKfDYVfUbn1zPLRhYNbdn1ofbzlTqZWhtMz0Zz4dG/pobTnn
IEt6Z/HfIDTHGPVlxprEa7ojIoohflMdzMg9SbF1Oo+jCdq7LEaCfHtpG1RGOZnK
5mOVlvIHj0gC9N1thV5zSEUcnsuhbp19h+grhRvSgrvLbDOkQNbTuoUH2pi+uAwy
xm9JD/eNqZq9bYVizSVCQ3ciyWtqiGtH505lN8NPxXEkthVBVA/9ZY0iX8PxtWiH
c/wmZWx20qSVlGvNEkc6opxAoAU7Q2kUtPALrTK4vu+DsW37iADZ+OPkPHmMtfWd
YhiKW/GJCYeWol0rxfnzitBPkQZHqnjJolz8Pz1JXYWNKcQkDq9HmVcz/1MD/KJ2
AI4xZKDZLAw1Uk0vxawLt3QIregK2Ic0OYrmwpUu03xElEGiGvqoSHnhGtJelaoH
3VtKfoeMG8BAskajhjIss4gtG9qJBZx4LRlvqcEZ8A8bsoVNcCcqZCOlXCrHKVbc
XRjqpK81iQ07HHzN9vGcfv278mw36sdfm5kL0VlnitsnVWfzrLg=
=6WjK
-----END PGP SIGNATURE-----
Reply to: