CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
29.0%
libXfont is the X.Org Xfont library, some parts are based on the FreeType code base.
Several integer overflows have been found in the CID font parser.
A remote attacker could exploit this vulnerability by enticing a user to load a malicious font file resulting in the execution of arbitrary code with the permissions of the user running the X server which typically is the root user. A local user could exploit this vulnerability to gain elevated privileges.
Disable CID-encoded Type 1 fonts by removing the “type1” module and replacing it with the “freetype” module in xorg.conf.
All libXfont users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=x11-libs/libXfont-1.2.1"
All monolithic X.org users are advised to migrate to modular X.org.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Gentoo | any | all | x11-libs/libxfont | < 1.2.1 | UNKNOWN |
Gentoo | any | all | x11-base/xorg-x11 | < 7.0 | UNKNOWN |