CLD-155 Details
Other IDs this deficiency may be known by:
Basic Information:
| Affected Package(s) |
xorg-libraries |
| Deficiency Type |
SECURITY |
| Date Created |
2017-11-28 10:33:28 |
| Date Last Modified |
2017-11-28 11:53:50 |
Version Specific Information:
| Cucumber 1.0 i686 | fixed in xorg-libraries-7.7-i686-4 |
| Cucumber 1.0 x86_64 | fixed in xorg-libraries-7.7-x86_64-4 and xorg-libraries-lib_i686-7.7-lib_i686-4 |
| Cucumber 1.1 i686 |
fixed in xorg-libraries-7.7-i686-4 |
| Cucumber 1.1 x86_64 |
fixed in xorg-libraries-7.7-x86_64-4 and xorg-libraries-lib_i686-7.7-lib_i686-4 |
Details:
================================ Initial Report ================================
From Openwall (http://www.openwall.com/lists/oss-security/2017/11/28/7):
Hi,
X.Org has just release libXfont 1.5.4 and libXfont2 2.0.3 which
contain the following security fix:
Author: Michal Srb
AuthorDate: Thu Oct 26 09:48:13 2017 +0200
Commit: Matthieu Herrb
CommitDate: Sat Nov 25 11:46:50 2017 +0100
Open files with O_NOFOLLOW. (CVE-2017-16611)
A non-privileged X client can instruct X server running under root
to open any file by creating own directory with "fonts.dir",
"fonts.alias" or any font file being a symbolic link to any other
file in the system. X server will then open it. This can be issue
with special files such as /dev/watchdog.
https://marc.info/?l=freedesktop-xorg-announce&m=151188049718337&w=2
https://marc.info/?l=freedesktop-xorg-announce&m=151188044218304&w=2
--
Matthieu Herrb
================================= Our Analysis =================================
----- Fix for this Vulnerability -----
This vulnerability was fixed by the Xorg developers in commit
7b377456f95d2ec3ead40f4fb74ea620191f88c8
(https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=7b377456f95d2ec3ead40f4fb74ea620191f88c8),
which has been applied in release 1.5.4 of libXfont.
----- Affected Products -----
Any systems using a version of libXfont prior to 1.5.4 that have not applied
the aforementioned patch are vulnerable to this vulnerability. This includes
Cucumber Linux 1.0 and 1.1 (as of Tue Nov 28 11:22:08 EST 2017) since they both
use libXfont 1.5.1.
----- Scope and Impact of this Vulnerability -----
It appears that this vulnerability can result in information disclosure. It
allows for an unprivileged user to open an arbitrary file as root.
================================= Our Solution =================================
We have patched this vulnerability by applying the upstream patch
(https://cgit.freedesktop.org/xorg/lib/libXfont/patch/?id=7b377456f95d2ec3ead40f4fb74ea620191f88c8)
to the xorg-libraries package (effective in xorg-libraries-7.7-i686-4). It
worked without modification.