Vulnerability identifier: #VU38076
Vulnerability risk: Low
CVSSv3.1: 6.2 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-125
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
libXfont
Universal components / Libraries /
Libraries used by multiple products
Vendor: X.org
Description
The vulnerability allows a local authenticated user to #BASIC_IMPACT#.
In the pcfGetProperties function in bitmap/pcfread.c in libXfont through 1.5.2 and 2.x before 2.0.2, a missing boundary check (for PCF files) could be used by local attackers authenticated to an Xserver for a buffer over-read, for information disclosure or a crash of the X server.
Mitigation
Install update from vendor's website.
Vulnerable software versions
libXfont: 2.0.0 - 2.0.1
External links
http://www.debian.org/security/2017/dsa-3995
http://bugzilla.redhat.com/show_bug.cgi?id=1500693
http://bugzilla.suse.com/show_bug.cgi?id=1049692
http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=672bb944311392e2415b39c0d63b1e1902905bcd
http://security.gentoo.org/glsa/201711-08
http://www.x.org/releases/individual/lib/libXfont2-2.0.2.tar.bz2
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.