Date: Tue, 28 Nov 2017 15:55:24 +0100 From: Matthieu Herrb <matthieu.herrb@...s.fr> To: oss-security@...ts.openwall.com Subject: CVE-2017-16611 libXfont Open files with O_NOFOLLOW Hi, X.Org has just release libXfont 1.5.4 and libXfont2 2.0.3 which contain the following security fix: Author: Michal Srb <msrb@...e.com> AuthorDate: Thu Oct 26 09:48:13 2017 +0200 Commit: Matthieu Herrb <matthieu@...rb.eu> CommitDate: Sat Nov 25 11:46:50 2017 +0100 Open files with O_NOFOLLOW. (CVE-2017-16611) A non-privileged X client can instruct X server running under root to open any file by creating own directory with "fonts.dir", "fonts.alias" or any font file being a symbolic link to any other file in the system. X server will then open it. This can be issue with special files such as /dev/watchdog. https://marc.info/?l=freedesktop-xorg-announce&m=151188049718337&w=2 https://marc.info/?l=freedesktop-xorg-announce&m=151188044218304&w=2 -- Matthieu Herrb Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.