Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 378797 (CVE-2011-2895) - <x11-libs/libXfont-1.4.4: local privilege escalation (CVE-2011-2895)
Summary: <x11-libs/libXfont-1.4.4: local privilege escalation (CVE-2011-2895)
Status: RESOLVED FIXED
Alias: CVE-2011-2895
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://lists.freedesktop.org/archives...
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-08-11 15:34 UTC by Chí-Thanh Christopher Nguyễn
Modified: 2014-02-21 16:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
libXfont.report (libXfont.report,524 bytes, text/plain)
2011-08-15 00:49 UTC, David Abbott
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Chí-Thanh Christopher Nguyễn gentoo-dev 2011-08-11 15:34:30 UTC
CVE ID: CVE-2011-2895

libXfont contains a compress / LZW decompresser implementation based
on the original BSD compress code.  A specially crafted LZW stream can
cause a buffer overflow in an application using libXfont that is used
to open untrusted font files, such as the X server (often run with
elevated privileges) when a client adds a local directory to the font
path.   Successful exploitation may possibly lead to a local privilege
escalation.

This is fixed in libXfont-1.4.4. Please add arches as you see fit.
Comment 1 Chí-Thanh Christopher Nguyễn gentoo-dev 2011-08-12 15:44:20 UTC
Arches, please stabilize x11-libs/libXfont-1.4.4
Comment 2 Agostino Sarubbo gentoo-dev 2011-08-12 17:14:38 UTC
take a look at bug 378875
Comment 3 Brent Baude (RETIRED) gentoo-dev 2011-08-12 18:31:51 UTC
ppc done
Comment 4 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-08-13 07:09:09 UTC
ppc64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2011-08-13 09:04:55 UTC
(In reply to comment #2)
> take a look at bug 378875

amd64 ok with exception for bug that I've posted
Comment 6 Jeroen Roovers gentoo-dev 2011-08-13 13:44:58 UTC
Stable for HPPA.
Comment 7 Markos Chandras (RETIRED) gentoo-dev 2011-08-14 14:50:35 UTC
amd64 done. Thanks Agostino
Comment 8 David Abbott gentoo-dev 2011-08-15 00:48:59 UTC
Arch tested on x86, all good here ...
Comment 9 David Abbott gentoo-dev 2011-08-15 00:49:24 UTC
Created attachment 283373 [details]
libXfont.report
Comment 10 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-08-15 03:06:44 UTC
x86 stable, thanks David
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2011-08-15 15:25:41 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2011-08-17 15:18:09 UTC
Thanks, folks. GLSA request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2011-10-07 22:43:45 UTC
CVE-2011-2895 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2895):
  The LZW decompressor in (1) the BufCompressedFill function in
  fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2)
  compress/compress.c in 4.3BSD, as used in zopen.c in OpenBSD before 3.8,
  FreeBSD, NetBSD 4.0.x and 5.0.x before 5.0.3 and 5.1.x before 5.1.1,
  FreeType 2.1.9, and other products, does not properly handle code words that
  are absent from the decompression table when encountered, which allows
  context-dependent attackers to trigger an infinite loop or a heap-based
  buffer overflow, and possibly execute arbitrary code, via a crafted
  compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2896.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2014-02-21 16:08:24 UTC
This issue was resolved and addressed in
 GLSA 201402-23 at http://security.gentoo.org/glsa/glsa-201402-23.xml
by GLSA coordinator Chris Reffett (creffett).