Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 634044 (CVE-2017-13720, CVE-2017-13722) - <x11-libs/libXfont2-2.0.2, <x11-libs/libXfont-1.5.3: multiple vulnerabilities: multiple vulnerabilities
Summary: <x11-libs/libXfont2-2.0.2, <x11-libs/libXfont-1.5.3: multiple vulnerabilities...
Status: RESOLVED FIXED
Alias: CVE-2017-13720, CVE-2017-13722
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [glsa cve]
Keywords: STABLEREQ
Depends on:
Blocks:
 
Reported: 2017-10-11 19:15 UTC by D'juan McDonald (domhnall)
Modified: 2018-07-27 22:15 UTC (History)
1 user (show)

See Also:
Package list:
=x11-libs/libXfont2-2.0.2 =x11-libs/libXfont-1.5.3
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2017-10-11 19:15:54 UTC
CVE-2017-13720(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13720):

In the PatternMatch function in fontfile/fontdir.c in libXfont through 1.5.2 and 2.x before 2.0.2, an attacker with access to an X connection can cause a buffer over-read during pattern matching of fonts, leading to information disclosure or a crash (denial of service). This occurs because '\0' characters are incorrectly skipped in situations involving ? characters.

Bug Reference:https://bugzilla.redhat.com/show_bug.cgi?id=1500690

Upstream Patch:
https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d1e670a4a8704b8708e493ab6155589bcd570608

CVE-2017-13722(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13722):

In the pcfGetProperties function in bitmap/pcfread.c in libXfont through 1.5.2 and 2.x before 2.0.2, a missing boundary check (for PCF files) could be used by local attackers authenticated to an Xserver for a buffer over-read, for information disclosure or a crash of the X server.

Bug Reference:https://bugzilla.redhat.com/show_bug.cgi?id=1500693

Upstream Patch:
https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=672bb944311392e2415b39c0d63b1e1902905bcd

@maintainer(s), proceed as necessary, call stabilization when ready. Thank you.

Gentoo Security Padawan
Daj Uan (jmbailey/mbailey_j)
Comment 1 Mart Raudsepp gentoo-dev 2017-10-11 20:04:36 UTC
Note that libXfont and libXfont2 are two different packages here.
Comment 2 Manuel Rüger (RETIRED) gentoo-dev 2017-10-11 20:22:25 UTC
commit 24a749d3dbff9d0697ad6ab5b86469eb3fd265be
Author: Manuel Rüger <mrueg@gentoo.org>
Date:   Wed Oct 11 22:18:29 2017 +0200

    x11-libs/libXfont2: Version bump to 2.0.2
    
    Package-Manager: Portage-2.3.11, Repoman-2.3.3
Comment 3 Mart Raudsepp gentoo-dev 2017-10-11 20:48:52 UTC
(and we have libXfont package still in tree too, to be patched or something..).. so... separate bugs with a tracker?
Comment 4 D'juan McDonald (domhnall) 2017-10-11 21:40:53 UTC
(In reply to Manuel Rüger from comment #2)
>x11-libs/libXfont2: Version bump to 2.0.2
    
>    Package-Manager: Portage-2.3.11, Repoman-2.3.3

...that was fast, thank you. Call stable when ready, please.
Comment 5 Matt Turner gentoo-dev 2017-10-19 20:55:34 UTC
Please proceed :)
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2017-10-20 01:37:33 UTC
Meh, this should have been separated.
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-21 12:46:22 UTC
ppc/ppc64 stable
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-22 20:34:16 UTC
x86 stable

Adding missing architectures.
Comment 9 Agostino Sarubbo gentoo-dev 2017-10-23 08:09:12 UTC
amd64 stable
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-24 07:08:07 UTC
hppa stable
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-24 21:45:49 UTC
ia64 stable
Comment 12 Rolf Eike Beer archtester 2017-11-02 14:22:32 UTC
tatt report for sparc:

USE='-bzip2 -doc -ipv6 -static-libs -truetype'  succeeded for =x11-libs/libXfont2-2.0.2
USE='-bzip2 doc ipv6 -static-libs -truetype' : REQUIRED_USE not satisfied (probably)
USE='bzip2 -doc -ipv6 static-libs -truetype'  succeeded for =x11-libs/libXfont2-2.0.2
USE='-bzip2 doc -ipv6 static-libs -truetype' : REQUIRED_USE not satisfied (probably)
USE='bzip2 -doc -ipv6 -static-libs truetype'  succeeded for =x11-libs/libXfont2-2.0.2
USE='bzip2 -doc ipv6 -static-libs truetype'  succeeded for =x11-libs/libXfont2-2.0.2
USE='bzip2 doc ipv6 -static-libs truetype' : REQUIRED_USE not satisfied (probably)
USE='-bzip2 -doc -ipv6 static-libs truetype'  succeeded for =x11-libs/libXfont2-2.0.2
USE='-bzip2 doc -ipv6 static-libs truetype' : REQUIRED_USE not satisfied (probably)
USE='-bzip2 -doc ipv6 static-libs truetype'  succeeded for =x11-libs/libXfont2-2.0.2
USE='bzip2 -doc ipv6 static-libs truetype'  succeeded for =x11-libs/libXfont2-2.0.2
USE='bzip2 doc ipv6 static-libs truetype' : REQUIRED_USE not satisfied (probably)
 FEATURES= test succeeded for =x11-libs/libXfont2-2.0.2
USE='-bzip2 -doc -ipv6 -static-libs -truetype'  succeeded for =x11-libs/libXfont-1.5.3
USE='-bzip2 doc -ipv6 -static-libs -truetype' : REQUIRED_USE not satisfied (probably)
USE='-bzip2 -doc ipv6 -static-libs -truetype'  succeeded for =x11-libs/libXfont-1.5.3
USE='bzip2 -doc ipv6 -static-libs -truetype'  succeeded for =x11-libs/libXfont-1.5.3
USE='bzip2 -doc -ipv6 static-libs -truetype'  succeeded for =x11-libs/libXfont-1.5.3
USE='-bzip2 -doc ipv6 -static-libs truetype'  succeeded for =x11-libs/libXfont-1.5.3
USE='bzip2 -doc ipv6 -static-libs truetype'  succeeded for =x11-libs/libXfont-1.5.3
USE='-bzip2 doc ipv6 -static-libs truetype' : REQUIRED_USE not satisfied (probably)
USE='-bzip2 -doc -ipv6 static-libs truetype'  succeeded for =x11-libs/libXfont-1.5.3
USE='bzip2 -doc ipv6 static-libs truetype'  succeeded for =x11-libs/libXfont-1.5.3
USE='bzip2 doc ipv6 static-libs truetype' : REQUIRED_USE not satisfied (probably)
 FEATURES= test succeeded for =x11-libs/libXfont-1.5.3
FEATURES= test USE='  ' succeeded for x11-base/xorg-server
FEATURES= test USE='  ' succeeded for x11-apps/bdftopcf
FEATURES= test USE='server ' succeeded for net-misc/tigervnc
FEATURES= test USE='  ' succeeded for x11-base/xorg-server
Comment 13 Matt Turner gentoo-dev 2017-11-02 16:14:07 UTC
sparc stable, thanks to Rolf Eike Beer
Comment 14 Tobias Klausmann (RETIRED) gentoo-dev 2017-11-08 12:51:39 UTC
Stable on alpha.
Comment 15 Aleksandr Wagner (Kivak) 2017-11-08 17:11:00 UTC
@ Maintainer(s): Stabilization is complete, please clean the vulnerable versions from the tree.
Comment 16 Larry the Git Cow gentoo-dev 2017-11-08 23:38:51 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b61b085c5df9cebc1b7ca642fa5864b8ab743ddf

commit b61b085c5df9cebc1b7ca642fa5864b8ab743ddf
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2017-11-08 23:23:55 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2017-11-08 23:37:09 +0000

    x11-libs/libXfont2: Drop vulnerable version
    
    Bug: https://bugs.gentoo.org/634044

 x11-libs/libXfont2/Manifest               |  1 -
 x11-libs/libXfont2/libXfont2-2.0.1.ebuild | 33 -------------------------------
 2 files changed, 34 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=252fdf82acdd1c6b9187e3b76c75e96e58dcd7e4

commit 252fdf82acdd1c6b9187e3b76c75e96e58dcd7e4
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2017-11-08 23:23:25 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2017-11-08 23:37:09 +0000

    x11-libs/libXfont: Drop vulnerable version
    
    Bug: https://bugs.gentoo.org/634044

 x11-libs/libXfont/Manifest              |  1 -
 x11-libs/libXfont/libXfont-1.5.2.ebuild | 34 ---------------------------------
 2 files changed, 35 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7c1c02b4b226877cc1ea12bd46b2325472ac7410

commit 7c1c02b4b226877cc1ea12bd46b2325472ac7410
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2017-11-08 23:36:14 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2017-11-08 23:37:09 +0000

    package.mask: Mask vulnerable versions of libXfont
    
    Bug: https://bugs.gentoo.org/634044

 profiles/package.mask | 5 +++++
 1 file changed, 5 insertions(+)}
Comment 17 Matt Turner gentoo-dev 2017-11-09 00:18:31 UTC
WTF. Somehow arm@ never got added.
Comment 18 Larry the Git Cow gentoo-dev 2017-11-09 01:38:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=81db985d3c8042f98860e51f8e577adc92dac8c2

commit 81db985d3c8042f98860e51f8e577adc92dac8c2
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2017-11-09 01:37:18 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2017-11-09 01:38:05 +0000

    Revert "x11-libs/libXfont: Drop vulnerable version"
    
    This reverts commit 252fdf82acdd1c6b9187e3b76c75e96e58dcd7e4.
    
    arm is not done yet.
    
    Bug: https://bugs.gentoo.org/634044

 x11-libs/libXfont/Manifest              |  1 +
 x11-libs/libXfont/libXfont-1.5.2.ebuild | 34 +++++++++++++++++++++++++++++++++
 2 files changed, 35 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aecc9566af962c283b3ef0ac98b28817f7f90d06

commit aecc9566af962c283b3ef0ac98b28817f7f90d06
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2017-11-09 01:37:11 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2017-11-09 01:37:34 +0000

    Revert "x11-libs/libXfont2: Drop vulnerable version"
    
    This reverts commit b61b085c5df9cebc1b7ca642fa5864b8ab743ddf.
    
    arm is not done yet.
    
    Bug: https://bugs.gentoo.org/634044

 x11-libs/libXfont2/Manifest               |  1 +
 x11-libs/libXfont2/libXfont2-2.0.1.ebuild | 33 +++++++++++++++++++++++++++++++
 2 files changed, 34 insertions(+)}
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2017-11-11 15:03:27 UTC
This issue was resolved and addressed in
 GLSA 201711-08 at https://security.gentoo.org/glsa/201711-08
by GLSA coordinator Aaron Bauman (b-man).
Comment 20 Aaron Bauman (RETIRED) gentoo-dev 2017-11-11 15:04:00 UTC
re-opened for arm and cleanup.
Comment 21 Markus Meier gentoo-dev 2017-11-19 15:09:27 UTC
arm stable
Comment 22 Matt Turner gentoo-dev 2017-11-23 19:15:52 UTC
Vulnerable versions removed.