CERTA-2011-AVI-673
Vulnerability from certfr_avis

Une vulnérabilité dans libXfont permet à un utilisateur malveillant d'élever ses privilèges.

Description

La bibliothèque libXfont utilise un programme de décompression LZW vulnérable à un débordement de mémoire. Ce défaut peut être exploité par un utilisateur malveillant pour obtenir les droits de l'application ayant utilisé cette bibliothèque, par exemple un serveur X.

Solution

La version 1.4.4 de la bibliothèque libXfont corrige ce problème.

Se référer aux bulletins de sécurité de l'éditeur et des distributions pour l'obtention des correctifs (cf. section Documentation).

libXfont, version 1.4.3 et versions antérieures.

Impacted products
Vendor Product Description
References

Show details on source website

To clipboard 

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cp\u003elibXfont, version 1.4.3 et versions  ant\u00e9rieures.\u003c/p\u003e",
  "content": "## Description\n\nLa biblioth\u00e8que libXfont utilise un programme de d\u00e9compression LZW\nvuln\u00e9rable \u00e0 un d\u00e9bordement de m\u00e9moire. Ce d\u00e9faut peut \u00eatre exploit\u00e9 par\nun utilisateur malveillant pour obtenir les droits de l\u0027application\nayant utilis\u00e9 cette biblioth\u00e8que, par exemple un serveur X.\n\n## Solution\n\nLa version 1.4.4 de la biblioth\u00e8que libXfont corrige ce probl\u00e8me.\n\nSe r\u00e9f\u00e9rer aux bulletins de s\u00e9curit\u00e9 de l\u0027\u00e9diteur et des distributions\npour l\u0027obtention des correctifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2011-2895",
      "url": "https://www.cve.org/CVERecord?id=CVE-2011-2895"
    }
  ],
  "initial_release_date": "2011-12-06T00:00:00",
  "last_revision_date": "2011-12-06T00:00:00",
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2011:1161 du 15 ao\u00fbt 2011    :",
      "url": "http://rhn.redhat.com/errata/RHSA-2011-1161.html"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Novell CVE-2011-2895 du 05 d\u00e9cembre    2011 :",
      "url": "http://support.novell.com/security/cve/CVE-2011-2895.html"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2011:1155 du 11 ao\u00fbt 2011    :",
      "url": "http://rhn.redhat.com/errata/RHSA-2011-1155.html"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 X.org du 10 ao\u00fbt 2011 :",
      "url": "http://lists.freedesktop.org/archives/xorg-announce/2011-August/001721.html"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-1191-1 du 15 ao\u00fbt 2011 :",
      "url": "http://www.ubuntu.com/usn/usn-1191-1/"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Debian DSA 2293 du 12 ao\u00fbt 2011 :",
      "url": "http://www.debian.org/security/2011/dsa-2293"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2011:1154 du 11 ao\u00fbt 2011    :",
      "url": "http://rhn.redhat.com/errata/RHSA-2011-1154.html"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Mandriva MDKSA-2011:153 du 17 octobre    2011 :",
      "url": "http://www.mandriva.com/archives/security/advisories"
    },
    {
      "title": "Correctif de s\u00e9curit\u00e9 NetBSD SA2011-007 du 20 septembre    2011 :",
      "url": "http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2011-007.txt.asc"
    }
  ],
  "reference": "CERTA-2011-AVI-673",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2011-12-06T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 dans libXfont permet \u00e0 un utilisateur malveillant\nd\u0027\u00e9lever ses privil\u00e8ges.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans libXfont",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Novell CVE-2011-2895 du 05 d\u00e9cembre 2011",
      "url": null
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.