X.Org security advisory: libXfont LZW decompression heap corruption

Alan Coopersmith alan.coopersmith at oracle.com
Wed Aug 10 16:05:08 PDT 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

X.Org Security advisory, August 10, 2011
libXfont LZW decompression heap corruption
CVE ID: CVE-2011-2895

libXfont contains a compress / LZW decompresser implementation based
on the original BSD compress code.  A specially crafted LZW stream can
cause a buffer overflow in an application using libXfont that is used
to open untrusted font files, such as the X server (often run with
elevated privileges) when a client adds a local directory to the font
path.   Successful exploitation may possibly lead to a local privilege
escalation.

Further details are given in the original bug report at:
    https://bugzilla.redhat.com/show_bug.cgi?id=725760

Affected versions
- -----------------

libXfont up to, and including, 1.4.3
X11R7.6 (latest release of the full window system) includes libXfont 1.4.3

Fix
- ---

This issue has been fixed with git commit
  d11ee5886e9d9ec610051a206b135a4cdc1e09a0

http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d11ee5886e9d9ec610051a206b135a4cdc1e09a0

A fix of this vulnerability is included in libXfont 1.4.4

The X.Org Foundation thanks Tomas Hoger of the Red Hat Security Response Team
for bringing this issue to our attention and supplying the fix.

- -- 
	-Alan Coopersmith-        alan.coopersmith at oracle.com
	 Oracle Solaris Platform Engineering: X Window System

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (SunOS)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5DDqMACgkQovueCB8tEw70twCginYE2QWdIo4qTgnjAYlnQJno
locAniP0eGD8+vhdRVS9a+MlHZll/Jqh
=2ENM
-----END PGP SIGNATURE-----



More information about the xorg mailing list