Security Advisory Important: libXfont security update

Advisory: RHSA-2008:0064-5
Type: Security Advisory
Severity: Important
Issued on: 2008-01-17
Last updated on: 2008-01-17
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
OVAL: com.redhat.rhsa-20080064.xml
CVEs (cve.mitre.org): CVE-2008-0006

Details

An updated X.Org libXfont package that fixes a security issue is now
available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

The libXfont package contains the X.Org X11 libXfont runtime library.

A heap based buffer overflow flaw was found in the way the X.Org server
handled malformed font files. A malicious local user could exploit this
issue to potentially execute arbitrary code with the privileges of the
X.Org server. (CVE-2008-0006)

Users of X.Org libXfont should upgrade to these updated packages, which
contain a backported patch to resolve this issue.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

RHEL Desktop Workstation (v. 5 client)
IA-32:
libXfont-devel-1.2.2-1.0.3.el5_1.i386.rpm     503a70921dbe1c42d0d6b994c5185a88
 
x86_64:
libXfont-devel-1.2.2-1.0.3.el5_1.i386.rpm     503a70921dbe1c42d0d6b994c5185a88
libXfont-devel-1.2.2-1.0.3.el5_1.x86_64.rpm     7fbcf5b57c7cb1c68e20c2f86ff9268d
 
Red Hat Enterprise Linux (v. 5 server)
SRPMS:
libXfont-1.2.2-1.0.3.el5_1.src.rpm     0492a93edeea11bd29f587cf9360f698
 
IA-32:
libXfont-1.2.2-1.0.3.el5_1.i386.rpm     c9d7452db4224644ee0e598ae380f5b1
libXfont-devel-1.2.2-1.0.3.el5_1.i386.rpm     503a70921dbe1c42d0d6b994c5185a88
 
IA-64:
libXfont-1.2.2-1.0.3.el5_1.ia64.rpm     0a8f5550281549cd1d9b78bcfb4bffe7
libXfont-devel-1.2.2-1.0.3.el5_1.ia64.rpm     b0eb40916cf6b63d6b9406e2dea44759
 
PPC:
libXfont-1.2.2-1.0.3.el5_1.ppc.rpm     9b4699ef5f446e9ab99fa0def66d7261
libXfont-1.2.2-1.0.3.el5_1.ppc64.rpm     80be7341879ab3a5294992239b975513
libXfont-devel-1.2.2-1.0.3.el5_1.ppc.rpm     e0e22b97c99b3292f8395999b6c683b2
libXfont-devel-1.2.2-1.0.3.el5_1.ppc64.rpm     06ad724b7439bcd078bbe5848cdf369d
 
s390x:
libXfont-1.2.2-1.0.3.el5_1.s390.rpm     15b22dd75fa15212fa9a6a4e117fa496
libXfont-1.2.2-1.0.3.el5_1.s390x.rpm     021f357ddd4405073364ffcfa1ec94ef
libXfont-devel-1.2.2-1.0.3.el5_1.s390.rpm     20dd2604f5d149928503cb5668b80e57
libXfont-devel-1.2.2-1.0.3.el5_1.s390x.rpm     73170b10de857d0a42829f545d2a9781
 
x86_64:
libXfont-1.2.2-1.0.3.el5_1.i386.rpm     c9d7452db4224644ee0e598ae380f5b1
libXfont-1.2.2-1.0.3.el5_1.x86_64.rpm     0f4dfe24f11dee8fbb1ade10e7c5a801
libXfont-devel-1.2.2-1.0.3.el5_1.i386.rpm     503a70921dbe1c42d0d6b994c5185a88
libXfont-devel-1.2.2-1.0.3.el5_1.x86_64.rpm     7fbcf5b57c7cb1c68e20c2f86ff9268d
 
Red Hat Enterprise Linux Desktop (v. 5 client)
SRPMS:
libXfont-1.2.2-1.0.3.el5_1.src.rpm     0492a93edeea11bd29f587cf9360f698
 
IA-32:
libXfont-1.2.2-1.0.3.el5_1.i386.rpm     c9d7452db4224644ee0e598ae380f5b1
 
x86_64:
libXfont-1.2.2-1.0.3.el5_1.i386.rpm     c9d7452db4224644ee0e598ae380f5b1
libXfont-1.2.2-1.0.3.el5_1.x86_64.rpm     0f4dfe24f11dee8fbb1ade10e7c5a801
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

428044 - CVE-2008-0006 Xorg / XFree86 PCF font parser buffer overflow


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0006
http://www.redhat.com/security/updates/classification/#important

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/