LibXfont, LibXfont2: Arbitrary file access — GLSA 201801-10

A vulnerability has been found in LibXfont and LibXfont2 which may allow for arbitrary file access.

Affected packages

x11-libs/libXfont on all architectures
Affected versions < 1.5.4
Unaffected versions >= 1.5.4
x11-libs/libXfont2 on all architectures
Affected versions < 2.0.3
Unaffected versions >= 2.0.3

Background

X.Org Xfont library.

Description

It was discovered that libXfont incorrectly followed symlinks when opening font files.

Impact

A local unprivileged user could use this flaw to cause the X server to access arbitrary files, including special device files.

Workaround

There is no known workaround at this time.

Resolution

All LibXfont users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=x11-libs/libXfont-1.5.4"
 

All LibXfont2 users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=x11-libs/libXfont2-2.0.3"
 

References

Release date
January 08, 2018

Latest revision
January 08, 2018: 1

Severity
normal

Exploitable
local

Bugzilla entries