CVE-2011-2895

19.08.2011, 17:55

The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2) compress/compress.c in 4.3BSD, as used in zopen.c in OpenBSD before 3.8, FreeBSD, NetBSD 4.0.x and 5.0.x before 5.0.3 and 5.1.x before 5.1.1, FreeType 2.1.9, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows context-dependent attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2896.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.3 UNKNOWN	NETWORK	MEDIUM		AV:N/AC:M/Au:N/C:C/I:C/A:C

Base Score

CVSS 3.x

EPSS Score

Percentile: 91%

Affected Products (NVD)

Vendor	Product	Version
freetype	freetype	2.1.9
x	libxfont	𝑥 ≤ 1.4.3
x	libxfont	1.2.0
x	libxfont	1.2.1
x	libxfont	1.2.2
x	libxfont	1.2.3
x	libxfont	1.2.4
x	libxfont	1.2.5
x	libxfont	1.2.6
x	libxfont	1.2.7
x	libxfont	1.2.8
x	libxfont	1.2.9
x	libxfont	1.3.0
x	libxfont	1.3.1
x	libxfont	1.3.2
x	libxfont	1.3.3
x	libxfont	1.3.4
x	libxfont	1.4.0
x	libxfont	1.4.1
x	libxfont	1.4.2
freebsd	freebsd	*
netbsd	netbsd	*
openbsd	openbsd	𝑥 ≤ 3.7
openbsd	openbsd	2.0
openbsd	openbsd	2.1
openbsd	openbsd	2.2
openbsd	openbsd	2.3
openbsd	openbsd	2.4
openbsd	openbsd	2.5
openbsd	openbsd	2.6
openbsd	openbsd	2.7
openbsd	openbsd	2.8
openbsd	openbsd	2.9
openbsd	openbsd	3.0
openbsd	openbsd	3.1
openbsd	openbsd	3.2
openbsd	openbsd	3.3
openbsd	openbsd	3.4
openbsd	openbsd	3.5
openbsd	openbsd	3.6

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

libxfont

bookworm	1:2.0.6-1 fixed
bullseye	1:2.0.4-1 fixed
sid	1:2.0.6-1 fixed
trixie	1:2.0.6-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

libxfont

hardy	ignored
lucid	Fixed 1:1.4.1-1ubuntu0.1 released
maverick	Fixed 1:1.4.2-1ubuntu0.1 released
natty	Fixed 1:1.4.3-2ubuntu0.1 released

openSUSE / SLES Releases

openSUSE Product

Release

libXfont1

suse enterprise server 12 SP2	1.5.1-10.3 fixed
suse enterprise server 12 SP3	1.5.1-10.3 fixed
suse enterprise server 12 SP4	1.5.1-11.3.12 fixed
suse enterprise server 12 SP5	1.5.1-11.3.12 fixed

xorg-x11-libs

suse enterprise server 12 SP2	7.6-45.7 fixed
suse enterprise server 12 SP3	7.6-45.7 fixed
suse enterprise server 12 SP4	7.6-45.7 fixed
suse enterprise server 12 SP5	7.6-45.7 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

libXfont

RHEL 6

0:1.4.1-2.el6_1

fixed

libXfont-devel

RHEL 6

0:1.4.1-2.el6_1

fixed

Common Weakness Enumeration

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

References

http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d11ee5886e9d9ec610051a206b135a4cdc1e09a0

http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2011-007.txt.asc

http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html

http://lists.apple.com/archives/security-announce/2012/May/msg00001.html

http://lists.apple.com/archives/security-announce/2015/Dec/msg00000.html

http://lists.apple.com/archives/security-announce/2015/Dec/msg00001.html

http://lists.apple.com/archives/security-announce/2015/Dec/msg00002.html

http://lists.apple.com/archives/security-announce/2015/Dec/msg00005.html

http://lists.freedesktop.org/archives/xorg-announce/2011-August/001721.html

http://lists.freedesktop.org/archives/xorg-announce/2011-August/001722.html

http://lists.opensuse.org/opensuse-security-announce/2011-09/msg00019.html

http://lists.opensuse.org/opensuse-security-announce/2011-12/msg00004.html

http://secunia.com/advisories/45544

http://secunia.com/advisories/45568

http://secunia.com/advisories/45599

http://secunia.com/advisories/45986

http://secunia.com/advisories/46127

http://secunia.com/advisories/48951

http://securitytracker.com/id?1025920

http://support.apple.com/kb/HT5130

http://support.apple.com/kb/HT5281

http://www.debian.org/security/2011/dsa-2293

http://www.mandriva.com/security/advisories?name=MDVSA-2011:153

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/compress/zopen.c#rev1.17

http://www.openwall.com/lists/oss-security/2011/08/10/10

http://www.redhat.com/support/errata/RHSA-2011-1154.html

http://www.redhat.com/support/errata/RHSA-2011-1155.html

http://www.redhat.com/support/errata/RHSA-2011-1161.html

http://www.redhat.com/support/errata/RHSA-2011-1834.html

http://www.securityfocus.com/bid/49124

http://www.ubuntu.com/usn/USN-1191-1

https://bugzilla.redhat.com/show_bug.cgi?id=725760

https://bugzilla.redhat.com/show_bug.cgi?id=727624

https://exchange.xforce.ibmcloud.com/vulnerabilities/69141

https://support.apple.com/HT205635

https://support.apple.com/HT205637

https://support.apple.com/HT205640

https://support.apple.com/HT205641

http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d11ee5886e9d9ec610051a206b135a4cdc1e09a0

http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2011-007.txt.asc

http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html

http://lists.apple.com/archives/security-announce/2012/May/msg00001.html

http://lists.apple.com/archives/security-announce/2015/Dec/msg00000.html

http://lists.apple.com/archives/security-announce/2015/Dec/msg00001.html

http://lists.apple.com/archives/security-announce/2015/Dec/msg00002.html

http://lists.apple.com/archives/security-announce/2015/Dec/msg00005.html

http://lists.freedesktop.org/archives/xorg-announce/2011-August/001721.html

http://lists.freedesktop.org/archives/xorg-announce/2011-August/001722.html

http://lists.opensuse.org/opensuse-security-announce/2011-09/msg00019.html

http://lists.opensuse.org/opensuse-security-announce/2011-12/msg00004.html

http://secunia.com/advisories/45544

http://secunia.com/advisories/45568

http://secunia.com/advisories/45599

http://secunia.com/advisories/45986

http://secunia.com/advisories/46127

http://secunia.com/advisories/48951

http://securitytracker.com/id?1025920

http://support.apple.com/kb/HT5130

http://support.apple.com/kb/HT5281

http://www.debian.org/security/2011/dsa-2293

http://www.mandriva.com/security/advisories?name=MDVSA-2011:153

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/compress/zopen.c#rev1.17

http://www.openwall.com/lists/oss-security/2011/08/10/10

http://www.redhat.com/support/errata/RHSA-2011-1154.html

http://www.redhat.com/support/errata/RHSA-2011-1155.html

http://www.redhat.com/support/errata/RHSA-2011-1161.html

http://www.redhat.com/support/errata/RHSA-2011-1834.html

http://www.securityfocus.com/bid/49124

http://www.ubuntu.com/usn/USN-1191-1

https://bugzilla.redhat.com/show_bug.cgi?id=725760

https://bugzilla.redhat.com/show_bug.cgi?id=727624

https://exchange.xforce.ibmcloud.com/vulnerabilities/69141

https://support.apple.com/HT205635

https://support.apple.com/HT205637

https://support.apple.com/HT205640

https://support.apple.com/HT205641