libXfont-devel-1.5.4-2.18 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10921 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libXfont-devel-1.5.4-2.18 on GA media These are all security issues fixed in the libXfont-devel-1.5.4-2.18 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10921 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10921 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-13720/ SUSE CVE CVE-2017-13720 page https://www.suse.com/security/cve/CVE-2017-13722/ SUSE CVE CVE-2017-13722 page https://www.suse.com/security/cve/CVE-2017-16611/ SUSE CVE CVE-2017-16611 page openSUSE Tumbleweed libXfont-devel-1.5.4-2.18 libXfont-devel-32bit-1.5.4-2.18 libXfont1-1.5.4-2.18 libXfont1-32bit-1.5.4-2.18 libXfont-devel-1.5.4-2.18 as a component of openSUSE Tumbleweed libXfont-devel-32bit-1.5.4-2.18 as a component of openSUSE Tumbleweed libXfont1-1.5.4-2.18 as a component of openSUSE Tumbleweed libXfont1-32bit-1.5.4-2.18 as a component of openSUSE Tumbleweed In the PatternMatch function in fontfile/fontdir.c in libXfont through 1.5.2 and 2.x before 2.0.2, an attacker with access to an X connection can cause a buffer over-read during pattern matching of fonts, leading to information disclosure or a crash (denial of service). This occurs because '\0' characters are incorrectly skipped in situations involving ? characters. CVE-2017-13720 openSUSE Tumbleweed:libXfont-devel-1.5.4-2.18 openSUSE Tumbleweed:libXfont-devel-32bit-1.5.4-2.18 openSUSE Tumbleweed:libXfont1-1.5.4-2.18 openSUSE Tumbleweed:libXfont1-32bit-1.5.4-2.18 moderate 1.7 AV:L/AC:L/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-13720.html CVE-2017-13720 https://bugzilla.suse.com/1054285 SUSE Bug 1054285 https://bugzilla.suse.com/1159415 SUSE Bug 1159415 In the pcfGetProperties function in bitmap/pcfread.c in libXfont through 1.5.2 and 2.x before 2.0.2, a missing boundary check (for PCF files) could be used by local attackers authenticated to an Xserver for a buffer over-read, for information disclosure or a crash of the X server. CVE-2017-13722 openSUSE Tumbleweed:libXfont-devel-1.5.4-2.18 openSUSE Tumbleweed:libXfont-devel-32bit-1.5.4-2.18 openSUSE Tumbleweed:libXfont1-1.5.4-2.18 openSUSE Tumbleweed:libXfont1-32bit-1.5.4-2.18 moderate 3.6 AV:L/AC:L/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-13722.html CVE-2017-13722 https://bugzilla.suse.com/1049692 SUSE Bug 1049692 https://bugzilla.suse.com/1159415 SUSE Bug 1159415 In libXfont before 1.5.4 and libXfont2 before 2.0.3, a local attacker can open (but not read) files on the system as root, triggering tape rewinds, watchdogs, or similar mechanisms that can be triggered by opening files. CVE-2017-16611 openSUSE Tumbleweed:libXfont-devel-1.5.4-2.18 openSUSE Tumbleweed:libXfont-devel-32bit-1.5.4-2.18 openSUSE Tumbleweed:libXfont1-1.5.4-2.18 openSUSE Tumbleweed:libXfont1-32bit-1.5.4-2.18 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-16611.html CVE-2017-16611 https://bugzilla.suse.com/1050459 SUSE Bug 1050459