Scientific Linux: SLSA-2014:1893-1 Critical libXfont Code Threat

Date: Mon, 24 Nov 2014 22:07:32 +0000
Reply-To: scientific-linux-users@
Sender: Security Errata for Scientific Linux
 
From: Pat Riehecky 
Subject: Security ERRATA Important: libXfont on SL5.x i386/x86_64
MIME-Version: 1.0

Synopsis: Important: libXfont security update
Advisory ID: SLSA-2014:1893-1
Issue Date: 2014-11-24
CVE Numbers: CVE-2014-0211
 CVE-2014-0210
 CVE-2014-0209
--

A use-after-free flaw was found in the way libXfont processed certain font
files when attempting to add a new directory to the font path. A
malicious, local user could exploit this issue to potentially execute
arbitrary code with the privileges of the X.Org server. (CVE-2014-0209)

Multiple out-of-bounds write flaws were found in the way libXfont parsed
replies received from an X.org font server. A malicious X.org server could
cause an X client to crash or, possibly, execute arbitrary code with the
privileges of the X.Org server. (CVE-2014-0210, CVE-2014-0211)

All running X.Org server instances must be restarted for the update to
take effect.
--

SL5
 x86_64
 libXfont-1.2.2-1.0.6.el5_11.i386.rpm
 libXfont-1.2.2-1.0.6.el5_11.x86_64.rpm
 libXfont-debuginfo-1.2.2-1.0.6.el5_11.i386.rpm
 libXfont-debuginfo-1.2.2-1.0.6.el5_11.x86_64.rpm
 libXfont-devel-1.2.2-1.0.6.el5_11.i386.rpm
 libXfont-devel-1.2.2-1.0.6.el5_11.x86_64.rpm
 i386
 libXfont-1.2.2-1.0.6.el5_11.i386.rpm
 libXfont-debuginfo-1.2.2-1.0.6.el5_11.i386.rpm
 libXfont-devel-1.2.2-1.0.6.el5_11.i386.rpm

- Scientific Linux Development Team