1. Gentoo Linux Security Advisory
| Advisory Reference | GLSA 200609-07 / libxfont |
| Release Date | September 13, 2006 |
| Latest Revision | September 13, 2006: 01 |
| Impact | high |
| Exploitable | local and remote |
| Package | Vulnerable versions | Unaffected versions | Architecture(s) |
| x11-libs/libXfont | < 1.2.1 | >= 1.2.1 | All supported architectures |
| x11-base/xorg-x11 | < 7.0 | >= 7.0 | All supported architectures |
Related bugreports: #145513
Some buffer overflows were discovered in the CID font parser, potentially resulting in the execution of arbitrary code with elevated privileges.
libXfont is the X.Org Xfont library, some parts are based on the FreeType code base.
Several integer overflows have been found in the CID font parser.
A remote attacker could exploit this vulnerability by enticing a user to load a malicious font file resulting in the execution of arbitrary code with the permissions of the user running the X server which typically is the root user. A local user could exploit this vulnerability to gain elevated privileges.
Disable CID-encoded Type 1 fonts by removing the "type1" module and replacing it with the "freetype" module in xorg.conf.
All libXfont users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync # emerge --ask --oneshot --verbose ">=x11-libs/libXfont-1.2.1" |
All monolithic X.org users are advised to migrate to modular X.org.