The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

cybersecurity vulnerability CVE-2017-13722

libxfont: out-of-bounds memory reading via PCF

Synthesis of the vulnerability

An attacker can force a read at an invalid address via PCF of libxfont, in order to trigger a denial of service, or to obtain sensitive information.
Severity of this alert: 2/4.
Creation date: 09/10/2017.
Références of this alert: CVE-2017-13722, DLA-1126-1, DSA-3995-1, FEDORA-2017-2783ef2c63, FEDORA-2017-b7c4334524, FEDORA-2017-f44afd1f34, openSUSE-SU-2017:3256-1, openSUSE-SU-2018:0343-1, USN-3442-1, VIGILANCE-VUL-24047.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can force a read at an invalid address via PCF of libxfont, in order to trigger a denial of service, or to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

This vulnerability impacts software or systems such as Debian, Fedora, NetBSD, openSUSE Leap, Ubuntu, Unix (platform) ~ not comprehensive, XOrg Bundle ~ not comprehensive.

Our Vigil@nce team determined that the severity of this security announce is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this computer vulnerability note.

Solutions for this threat

libXfont2: version 2.0.2.
The version 2.0.2 is fixed:
  https://xorg.freedesktop.org/archive/individual/lib/libXfont2-2.0.2.tar.bz2

libXfont: version 1.5.3.
The version 1.5.3 is fixed:
  https://xorg.freedesktop.org/archive/individual/lib/libXfont-1.5.3.tar.bz2

Debian: new libxfont packages.
New packages are available:
  Debian 7: libxfont 1:1.4.5-5+deb7u1
  Debian 8: libxfont 1:1.5.1-1+deb8u1
  Debian 9: libxfont 1:2.0.1-3+deb9u1

Fedora 26: new libXfont2 packages.
New packages are available:
  Fedora 26: libXfont2 2.0.2-1.fc26

Fedora: new libXfont packages.
New packages are available:
  Fedora 25: libXfont 1.5.2-5.fc25
  Fedora 26: libXfont 1.5.2-5.fc26

NetBSD: version 7.1.1.
The version 7.1.1 is fixed:
  http://www.NetBSD.org/mirrors/

openSUSE Leap: new libXfont packages.
New packages are available:
  openSUSE Leap 42.2: libXfont 1.5.1-9.3.1
  openSUSE Leap 42.3: libXfont1 1.5.1-13.1

Ubuntu: new libxfont packages.
New packages are available:
  Ubuntu 17.04: libxfont1 1:1.5.2-4ubuntu0.1, libxfont2 1:2.0.1-3ubuntu0.1
  Ubuntu 16.04 LTS: libxfont1 1:1.5.1-1ubuntu0.16.04.3, libxfont2 1:2.0.1-3~ubuntu16.04.2
  Ubuntu 14.04 LTS: libxfont1 1:1.4.7-1ubuntu0.3
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides system vulnerability patches. The technology watch team tracks security threats targeting the computer system. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. The Vigil@nce vulnerability database contains several thousand vulnerabilities.