CLD-73 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-13722 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) xorg-libraries
Deficiency Type SECURITY
Date Created 2017-10-10 17:49:24
Date Last Modified 2017-10-11 11:30:34

Version Specific Information:

Cucumber 1.0 i686fixed in xorg-libraries-7.7-i686-3
Cucumber 1.0 x86_64fixed in xorg-libraries-7.7-x86_64-3 and xorg-libraries-lib_i686-7.7-lib_i686-3

Cucumber 1.1 i686 fixed in xorg-libraries-7.7-i686-3
Cucumber 1.1 x86_64 fixed in xorg-libraries-7.7-x86_64-3 and xorg-libraries-lib_i686-7.7-lib_i686-3

Details:

This vulnerability was originally reported by the Debian security team in
DSA 3995-1, along with CVE-2017-13720. They claim the following:
Two vulnerabilities were found in libXfont, the X11 font rasterisation library,
which could result in denial of service or memory disclosure
(https://www.debian.org/security/2017/dsa-3995).

The Xorg developers released a patch and had this to say:
Without the checks a malformed PCF file can cause the library to make atom from
random heap memory that was behind the `strings` buffer. This may crash the
process or leak information
(https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=672bb944311392e2415b39c0d63b1e1902905bcd).