CLD-72 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-13720 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) xorg-libraries
Deficiency Type SECURITY
Date Created 2017-10-10 17:49:13
Date Last Modified 2017-10-11 11:30:20

Version Specific Information:

Cucumber 1.0 i686fixed in xorg-libraries-7.7-i686-3
Cucumber 1.0 x86_64fixed in xorg-libraries-7.7-x86_64-3 and xorg-libraries-lib_i686-7.7-lib_i686-3

Cucumber 1.1 i686 fixed in xorg-libraries-7.7-i686-3
Cucumber 1.1 x86_64 fixed in xorg-libraries-7.7-x86_64-3 and xorg-libraries-lib_i686-7.7-lib_i686-3

Details:

This vulnerability was originally reported by the Debian security team in
DSA 3995-1, along with CVE-2017-13722. They claim the following:
Two vulnerabilities were found in libXfont, the X11 font rasterisation library,
which could result in denial of service or memory disclosure
(https://www.debian.org/security/2017/dsa-3995).

The Xorg developers released a patch and had this to say:
If a pattern contains '?' character, any character in the string is skipped,
even if it is '\0'. The rest of the matching then reads invalid memory
(https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d1e670a4a8704b8708e493ab6155589bcd570608).