'[security-announce] openSUSE-SU-2015:0614-1: important: Security update for libXfont'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       opensuse-security-announce
Subject:    [security-announce] openSUSE-SU-2015:0614-1: important: Security update for libXfont
From:       opensuse-security () opensuse ! org
Date:       2015-03-27 9:08:20
Message-ID: 20150327090820.6593432398 () maintenance ! suse ! de
[Download RAW message or body]

   openSUSE Security Update: Security update for libXfont
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2015:0614-1
Rating:             important
References:         #921978 
Cross-References:   CVE-2015-1802 CVE-2015-1803 CVE-2015-1804
                   
Affected Products:
                    openSUSE 13.2
                    openSUSE 13.1
______________________________________________________________________________

   An update that fixes three vulnerabilities is now available.

Description:

   libXFont was updated to fix three vulnerabilities when parsing BDF files
   (bnc#921978)

   As libXfont is used by the X server to read font files, and an
   unprivileged user with access to the X server can tell the X server to
   read a given font file from a path of their choosing, these
   vulnerabilities have the potential to allow unprivileged users to run code
   with the privileges of the X server.

   The following vulnerabilities were fixed:
   * The BDF parser could allocate the a wrong buffer size, leading to out of
     bound writes (CVE-2015-1802)
   * The BDF parser could crash when trying to read an invalid pointer
     (CVE-2015-1803)
   * The BDF parser could read 32 bit metrics values into 16 bit integers,
     causing an out-of-bound memory access though integer overflow
     (CVE-2015-1804)


Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE 13.2:

      zypper in -t patch openSUSE-2015-266=1

   - openSUSE 13.1:

      zypper in -t patch openSUSE-2015-266=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - openSUSE 13.2 (i586 x86_64):

      libXfont-debugsource-1.5.0-2.4.1
      libXfont-devel-1.5.0-2.4.1
      libXfont1-1.5.0-2.4.1
      libXfont1-debuginfo-1.5.0-2.4.1

   - openSUSE 13.2 (x86_64):

      libXfont-devel-32bit-1.5.0-2.4.1
      libXfont1-32bit-1.5.0-2.4.1
      libXfont1-debuginfo-32bit-1.5.0-2.4.1

   - openSUSE 13.1 (i586 x86_64):

      libXfont-debugsource-1.4.6-2.12.1
      libXfont-devel-1.4.6-2.12.1
      libXfont1-1.4.6-2.12.1
      libXfont1-debuginfo-1.4.6-2.12.1

   - openSUSE 13.1 (x86_64):

      libXfont-devel-32bit-1.4.6-2.12.1
      libXfont1-32bit-1.4.6-2.12.1
      libXfont1-debuginfo-32bit-1.4.6-2.12.1


References:

   http://support.novell.com/security/cve/CVE-2015-1802.html
   http://support.novell.com/security/cve/CVE-2015-1803.html
   http://support.novell.com/security/cve/CVE-2015-1804.html
   https://bugzilla.suse.com/921978

-- 
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic