Contributed by tbert on from the tell-X-where-you-marked-the-spot dept.
Patches are now available to fix buffer overflows in libXfont. This issue affects 5.5, 5.6, and the forthcoming 5.7 release.
For more details, refer to the X.org advisory:
http://www.x.org/wiki/Development/Security/Advisory-2015-03-17/5.5 patch:
http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/023_libxfont.patch.sig5.6 patch:
http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/019_libxfont.patch.sig
untrusted comment: signature from openbsd 5.6 base private key
RWR0EANmo9nqhnSKDBy7WgkNZrLujusI8Qvntb9/tVW0P3tfc0eRZ37NLCk0qcu5lurRs5aKGI6y5kGCXgAGE6tos5xwEjWbiw8= OpenBSD 5.6 errata 19, March 18, 2015More BDF file parsing issues in libXfont
Afer IOActive's Ilja van Sprundel who found a number of issues in 2014, additional testing by Alan Coopersmith and William Robinet with the American Fuzzy Lop (afl) tool uncovered two more issues in the parsing of BDF font files.
Apply patch using:
signify -Vep /etc/signify/openbsd-56-base.pub -x 019_libxfont.patch.sig \ -m - | (cd /usr/xenocara && patch -p0)Then build and install a new libXfont:
cd /usr/xenocara/lib/libXont make -f Makefile.bsd-wrapper obj make -f Makefile.bsd-wrapper build
(Comments are closed)
By Anonymous Coward (128.237.214.35) on
There is a typographical error in this patch. The patch contains the following line
But the letter "f" is missing. It should be