Input validation error in libxfont (Alpine package)



Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2014-0209
CWE-ID CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
 libxfont (Alpine package)
Operating systems & Components / Operating system package or component

Vendor Alpine Linux Development Team

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Input validation error

EUVDB-ID: #VU33847

Risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2014-0209

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Multiple integer overflows in the (1) FontFileAddEntry and (2) lexAlias functions in X.Org libXfont before 1.4.8 and 1.4.9x before 1.4.99.901 might allow local users to gain privileges by adding a directory with a large fonts.dir or fonts.alias file to the font path, which triggers a heap-based buffer overflow, related to metadata.

Mitigation

Install update from vendor's website.

Vulnerable software versions

libxfont (Alpine package): 1.4.0-r0 - 1.4.7-r0

CPE2.3 External links

https://git.alpinelinux.org/aports/commit/?id=0c9f25da7cad183991206441ffd79f4f5b67cf1c
https://git.alpinelinux.org/aports/commit/?id=1476a4f2f4f84290a60b64a79123454f8227f80a
https://git.alpinelinux.org/aports/commit/?id=29880316e4d89974619a59348463b0c4a9bfd613
https://git.alpinelinux.org/aports/commit/?id=57ccd1954ce23cc940ad1c1e29cbf4919d516d8a


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###