[OE-core] [PATCH] libxfont: CVE-2017-13720, CVE-2017-13722
Randy MacLeod
randy.macleod at windriver.com
Fri Nov 3 17:50:05 UTC 2017
On 2017-11-01 01:07 PM, Alexander Kanavin wrote:
> On 11/01/2017 06:28 PM, Catalin Enache wrote:
>> In the PatternMatch function in fontfile/fontdir.c in libXfont through
>> 1.5.2
>> and 2.x before 2.0.2, an attacker with access to an X connection can
>> cause
>> a buffer over-read during pattern matching of fonts, leading to
>> information
>> disclosure or a crash (denial of service). This occurs because '\0'
>> characters are incorrectly skipped in situations involving ? characters.
>>
>> In the pcfGetProperties function in bitmap/pcfread.c in libXfont
>> through 1.5.2
>> and 2.x before 2.0.2, a missing boundary check (for PCF files) could
>> be used
>> by local attackers authenticated to an Xserver for a buffer over-read,
>> for
>> information disclosure or a crash of the X server.
>
> If both 1.x and 2.x are vulnerable, you should update them both (not
> just 1.x).
Sure but 2.x isn't in morty, see below.
> Also, it's better to update to a version that is not
> vulnerable, rather than backport patches.
>
> Alex
Alex,
Catalin works on the WR sustaining team so his mandate is to take care
of released products where updating isn't typically permitted.
Now that oe-core-2.2 is out, we'll be sending patches for rocko as
well but we're in a transition time for a while so bear with us please.
If master and rocko have the same code, then of course we Catalin would
target master and arrange to have the commit backported.
Catalin,
Please tag your commits if they are strictly for the morty
branch using something like:
[OE-core][morty][PATCH] foo: the bar should be zinged
[OE-core][PATCH][morty] foo: the bar should be zinged
as per:
https://wiki.yoctoproject.org/wiki/Stable_branch_maintenance
Thanks,
--
# Randy MacLeod. WR Linux
# Wind River an Intel Company
More information about the Openembedded-core
mailing list