#VU32852 Heap-based buffer overflow in libXfont - CVE-2011-2895


| Updated: 2020-07-28

Vulnerability identifier: #VU32852

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2011-2895

CWE-ID: CWE-122

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
libXfont
Universal components / Libraries / Libraries used by multiple products

Vendor: X.org

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2) compress/compress.c in 4.3BSD, as used in zopen.c in OpenBSD before 3.8, FreeBSD, NetBSD 4.0.x and 5.0.x before 5.0.3 and 5.1.x before 5.1.1, FreeType 2.1.9, and other products, does not properly handle code words that are absent from the decompression table when encountered, which. A remote attacker can use a crafted compressed stream to trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation
Update to version 1.4.4.

Vulnerable software versions

libXfont: 1.4.0 - 1.4.3

External links
https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d11ee5886e9d9ec610051a206b135a4cdc1e09a0
https://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2011-007.txt.asc
https://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
https://lists.apple.com/archives/security-announce/2012/May/msg00001.html
https://lists.apple.com/archives/security-announce/2015/Dec/msg00000.html
https://lists.apple.com/archives/security-announce/2015/Dec/msg00001.html
https://lists.apple.com/archives/security-announce/2015/Dec/msg00002.html
https://lists.apple.com/archives/security-announce/2015/Dec/msg00005.html
https://lists.freedesktop.org/archives/xorg-announce/2011-August/001721.html
https://lists.freedesktop.org/archives/xorg-announce/2011-August/001722.html
https://lists.opensuse.org/opensuse-security-announce/2011-09/msg00019.html
https://lists.opensuse.org/opensuse-security-announce/2011-12/msg00004.html
https://secunia.com/advisories/45544
https://secunia.com/advisories/45568
https://secunia.com/advisories/45599
https://secunia.com/advisories/45986
https://secunia.com/advisories/46127
https://secunia.com/advisories/48951
https://securitytracker.com/id?1025920
https://support.apple.com/kb/HT5130
https://support.apple.com/kb/HT5281
https://www.debian.org/security/2011/dsa-2293
https://www.mandriva.com/security/advisories?name=MDVSA-2011:153
https://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/compress/zopen.c#rev1.17
https://www.openwall.com/lists/oss-security/2011/08/10/10
https://www.redhat.com/support/errata/RHSA-2011-1154.html
https://www.redhat.com/support/errata/RHSA-2011-1155.html
https://www.redhat.com/support/errata/RHSA-2011-1161.html
https://www.redhat.com/support/errata/RHSA-2011-1834.html
https://www.securityfocus.com/bid/49124
https://www.ubuntu.com/usn/USN-1191-1
https://bugzilla.redhat.com/show_bug.cgi?id=725760
https://bugzilla.redhat.com/show_bug.cgi?id=727624
https://exchange.xforce.ibmcloud.com/vulnerabilities/69141
https://support.apple.com/HT205635
https://support.apple.com/HT205637
https://support.apple.com/HT205640
https://support.apple.com/HT205641

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Gentoo update for libXfont
SUSE Linux update for freetype2
SUSE Linux update for Xorg-X11
Heap-based buffer overflow in libxfont (Alpine package)
SUSE Linux update for Xorg X11
Heap-based buffer overflow in X libXfont