Main Vulnerability Database SB2017101137

SB2017101137 - Fedora 27 update for libXfont

Published: October 11, 2017 Updated: April 24, 2025

Security Bulletin ID SB2017101137

Severity

Low

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Local access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Out-of-bounds read (CVE-ID: CVE-2017-13720)

The vulnerability allows a local authenticated user to #BASIC_IMPACT#.

In the PatternMatch function in fontfile/fontdir.c in libXfont through 1.5.2 and 2.x before 2.0.2, an attacker with access to an X connection can cause a buffer over-read during pattern matching of fonts, leading to information disclosure or a crash (denial of service). This occurs because '' characters are incorrectly skipped in situations involving ? characters.

2) Out-of-bounds read (CVE-ID: CVE-2017-13722)

The vulnerability allows a local authenticated user to #BASIC_IMPACT#.

In the pcfGetProperties function in bitmap/pcfread.c in libXfont through 1.5.2 and 2.x before 2.0.2, a missing boundary check (for PCF files) could be used by local attackers authenticated to an Xserver for a buffer over-read, for information disclosure or a crash of the X server.

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-2017-f3e5d31524