Debian Security Advisory

DSA-3644-1 fontconfig -- security update

Date Reported:
08 Aug 2016
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 833570.
In Mitre's CVE dictionary: CVE-2016-5384.
More information:

Tobias Stoeckmann discovered that cache files are insufficiently validated in fontconfig, a generic font configuration library. An attacker can trigger arbitrary free() calls, which in turn allows double free attacks and therefore arbitrary code execution. In combination with setuid binaries using crafted cache files, this could allow privilege escalation.

For the stable distribution (jessie), this problem has been fixed in version 2.11.0-6.3+deb8u1.

For the unstable distribution (sid), this problem has been fixed in version 2.11.0-6.5.

We recommend that you upgrade your fontconfig packages.