ID CVE-2016-5384
Summary fontconfig before 2.12.1 does not validate offsets, which allows local users to trigger arbitrary free calls and consequently conduct double free attacks and execute arbitrary code via a crafted cache file.
References
Vulnerable Configurations
  • Fedora 24
    cpe:2.3:o:fedoraproject:fedora:24
  • fontconfig project fontconfig 2.12
    cpe:2.3:a:fontconfig_project:fontconfig:2.12
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
CVSS
Base: 4.6 (as of 15-08-2016 - 10:04)
Impact:
Exploitability:
CWE CWE-415
CAPEC
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3644.NASL
    description Tobias Stoeckmann discovered that cache files are insufficiently validated in fontconfig, a generic font configuration library. An attacker can trigger arbitrary free() calls, which in turn allows double free attacks and therefore arbitrary code execution. In combination with setuid binaries using crafted cache files, this could allow privilege escalation.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 92795
    published 2016-08-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92795
    title Debian DSA-3644-1 : fontconfig - security update
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_44989C2967D111E68B1DC86000169601.NASL
    description Debian security team reports : Tobias Stoeckmann discovered that cache files are insufficiently validated in fontconfig, a generic font configuration library. An attacker can trigger arbitrary free() calls, which in turn allows double free attacks and therefore arbitrary code execution. In combination with setuid binaries using crafted cache files, this could allow privilege escalation.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 93061
    published 2016-08-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93061
    title FreeBSD : fontconfig -- insufficiently cache file validation (44989c29-67d1-11e6-8b1d-c86000169601)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2186-1.NASL
    description This update for fontconfig fixes the following issues : - security update : - CVE-2016-5384: Possible double free due to insufficiently validated cache files [bsc#992534] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93310
    published 2016-09-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93310
    title SUSE SLES11 Security Update : fontconfig (SUSE-SU-2016:2186-1)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-2601.NASL
    description An update for fontconfig is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Fontconfig is designed to locate fonts within the system and select them according to requirements specified by applications. Security Fix(es) : * It was found that cache files were insufficiently validated in fontconfig. A local attacker could create a specially crafted cache file to trigger arbitrary free() calls, which in turn could lead to arbitrary code execution. (CVE-2016-5384) Red Hat would like to thank Tobias Stoeckmann for reporting this issue. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 95347
    published 2016-11-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95347
    title CentOS 7 : fontconfig (CESA-2016:2601)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-2601.NASL
    description From Red Hat Security Advisory 2016:2601 : An update for fontconfig is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Fontconfig is designed to locate fonts within the system and select them according to requirements specified by applications. Security Fix(es) : * It was found that cache files were insufficiently validated in fontconfig. A local attacker could create a specially crafted cache file to trigger arbitrary free() calls, which in turn could lead to arbitrary code execution. (CVE-2016-5384) Red Hat would like to thank Tobias Stoeckmann for reporting this issue. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-07-25
    plugin id 94720
    published 2016-11-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94720
    title Oracle Linux 7 : fontconfig (ELSA-2016-2601)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2016-1077.NASL
    description According to the version of the fontconfig packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - It was found that cache files were insufficiently validated in fontconfig. A local attacker could create a specially crafted cache file to trigger arbitrary free() calls, which in turn could lead to arbitrary code execution. (CVE-2016-5384) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 99837
    published 2017-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99837
    title EulerOS 2.0 SP1 : fontconfig (EulerOS-SA-2016-1077)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-587.NASL
    description A possible double free vulnerability was found in fontconfig. The problem was due to insufficient validation when parsing the cache file. For Debian 7 'Wheezy', these problems have been fixed in version 2.9.0-7.1+deb7u1. We recommend that you upgrade your fontconfig packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-10
    plugin id 92827
    published 2016-08-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92827
    title Debian DLA-587-1 : fontconfig security update
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1070.NASL
    description This update for fontconfig fixes the following issues : - security update : - CVE-2016-5384: Possible double free due to insufficiently validated cache files [bsc#992534] This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2016-10-13
    plugin id 93433
    published 2016-09-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93433
    title openSUSE Security Update : fontconfig (openSUSE-2016-1070)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-2601.NASL
    description An update for fontconfig is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Fontconfig is designed to locate fonts within the system and select them according to requirements specified by applications. Security Fix(es) : * It was found that cache files were insufficiently validated in fontconfig. A local attacker could create a specially crafted cache file to trigger arbitrary free() calls, which in turn could lead to arbitrary code execution. (CVE-2016-5384) Red Hat would like to thank Tobias Stoeckmann for reporting this issue. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 94564
    published 2016-11-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94564
    title RHEL 7 : fontconfig (RHSA-2016:2601)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-6802F2E52A.NASL
    description Security fix for CVE-2016-5384 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 93022
    published 2016-08-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93022
    title Fedora 23 : fontconfig (2016-6802f2e52a)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2190-1.NASL
    description This update for fontconfig fixes the following issues : - security update : - CVE-2016-5384: Possible double free due to insufficiently validated cache files [bsc#992534] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93312
    published 2016-09-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93312
    title SUSE SLED12 / SLES12 Security Update : fontconfig (SUSE-SU-2016:2190-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-E23AB56CE3.NASL
    description Security fix for CVE-2016-5384 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 92811
    published 2016-08-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92811
    title Fedora 24 : fontconfig (2016-e23ab56ce3)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3063-1.NASL
    description Tobias Stoeckmann discovered that Fontconfig incorrectly handled cache files. A local attacker could possibly use this issue with a specially crafted cache file to elevate privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 93025
    published 2016-08-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93025
    title Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : fontconfig vulnerability (USN-3063-1)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20161103_FONTCONFIG_ON_SL7_X.NASL
    description Security Fix(es) : - It was found that cache files were insufficiently validated in fontconfig. A local attacker could create a specially crafted cache file to trigger arbitrary free() calls, which in turn could lead to arbitrary code execution. (CVE-2016-5384) Additional Changes :
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 95838
    published 2016-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95838
    title Scientific Linux Security Update : fontconfig on SL7.x x86_64
redhat via4
advisories
bugzilla
id 1350891
title CVE-2016-5384 fontconfig: Possible double free due to insufficiently validated cache files
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 7 Client is installed
      oval oval:com.redhat.rhba:tst:20150364001
    • comment Red Hat Enterprise Linux 7 Server is installed
      oval oval:com.redhat.rhba:tst:20150364002
    • comment Red Hat Enterprise Linux 7 Workstation is installed
      oval oval:com.redhat.rhba:tst:20150364003
    • comment Red Hat Enterprise Linux 7 ComputeNode is installed
      oval oval:com.redhat.rhba:tst:20150364004
  • OR
    • AND
      • comment fontconfig is earlier than 0:2.10.95-10.el7
        oval oval:com.redhat.rhsa:tst:20162601005
      • comment fontconfig is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162601006
    • AND
      • comment fontconfig-devel is earlier than 0:2.10.95-10.el7
        oval oval:com.redhat.rhsa:tst:20162601007
      • comment fontconfig-devel is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162601008
    • AND
      • comment fontconfig-devel-doc is earlier than 0:2.10.95-10.el7
        oval oval:com.redhat.rhsa:tst:20162601009
      • comment fontconfig-devel-doc is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162601010
rhsa
id RHSA-2016:2601
released 2016-11-03
severity Moderate
title RHSA-2016:2601: fontconfig security and bug fix update (Moderate)
rpms
  • fontconfig-0:2.10.95-10.el7
  • fontconfig-devel-0:2.10.95-10.el7
  • fontconfig-devel-doc-0:2.10.95-10.el7
refmap via4
bid 92339
confirm https://cgit.freedesktop.org/fontconfig/commit/?id=7a4a5bd7897d216f0794ca9dbce0a4a5c9d14940
debian DSA-3644
fedora
  • FEDORA-2016-6802f2e52a
  • FEDORA-2016-e23ab56ce3
mlist [Fontconfig] 20160805 fontconfig: Branch 'master' - 3 commits
ubuntu USN-3063-1
Last major update 17-01-2017 - 21:59
Published 12-08-2016 - 21:59
Back to Top