Main Vulnerability Database SB2014051417

SB2014051417 - Input validation error in libxfont (Alpine package)

Published: May 14, 2014

Security Bulletin ID SB2014051417

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Input validation error (CVE-ID: CVE-2014-0209)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Multiple integer overflows in the (1) FontFileAddEntry and (2) lexAlias functions in X.Org libXfont before 1.4.8 and 1.4.9x before 1.4.99.901 might allow local users to gain privileges by adding a directory with a large fonts.dir or fonts.alias file to the font path, which triggers a heap-based buffer overflow, related to metadata.

Remediation

Install update from vendor's website.

References

https://git.alpinelinux.org/aports/commit/?id=0c9f25da7cad183991206441ffd79f4f5b67cf1c
https://git.alpinelinux.org/aports/commit/?id=1476a4f2f4f84290a60b64a79123454f8227f80a
https://git.alpinelinux.org/aports/commit/?id=29880316e4d89974619a59348463b0c4a9bfd613
https://git.alpinelinux.org/aports/commit/?id=57ccd1954ce23cc940ad1c1e29cbf4919d516d8a