Skip to navigation

Security Advisory Important: libXfont security update

Advisory: RHSA-2011:1834-1
Type: Security Advisory
Severity: Important
Issued on: 2011-12-19
Last updated on: 2011-12-19
Affected Products: Red Hat Enterprise Linux EUS (v. 5.6.z server)
Red Hat Enterprise Linux Long Life (v. 5.6 server)
CVEs (cve.mitre.org): CVE-2011-2895

Details

Updated libXfont packages that fix one security issue are now available for
Red Hat Enterprise Linux 5.6 Extended Update Support.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

The libXfont packages provide the X.Org libXfont runtime library. X.Org is
an open source implementation of the X Window System.

A buffer overflow flaw was found in the way the libXfont library, used by
the X.Org server, handled malformed font files compressed using UNIX
compress. A malicious, local user could exploit this issue to potentially
execute arbitrary code with the privileges of the X.Org server.
(CVE-2011-2895)

Users of libXfont should upgrade to these updated packages, which contain a
backported patch to resolve this issue. All running X.Org server instances
must be restarted for the update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Updated packages

Red Hat Enterprise Linux EUS (v. 5.6.z server)

SRPMS:
libXfont-1.2.2-1.0.3.el5_6.src.rpm     MD5: 4199722bed8b0298d6b9d2b3bc0d968d
SHA-256: 8fb919365bbf230a0641c654ea5f4ccace7d9a4bb0ab5a0c20a18e012b92b091
 
IA-32:
libXfont-1.2.2-1.0.3.el5_6.i386.rpm     MD5: 3832639898bf38de782599b31a2386d5
SHA-256: 51fefc39c9b705063b3ea40432b4fb5e5efbb3f7fbc0af77e33e9b35dc662926
libXfont-devel-1.2.2-1.0.3.el5_6.i386.rpm     MD5: cda161863bde68e15de17384cd272a53
SHA-256: c5c903d49f79f7ba8b9769c2c98b4a06d5ce946f1ad8677343e4edc630be7b0c
 
IA-64:
libXfont-1.2.2-1.0.3.el5_6.ia64.rpm     MD5: f3d2ca4f558089b633142e36e338d361
SHA-256: 5df189533c8922d251f7c62a104d1e903409194110b20c2f79f9ba464e0e8d13
libXfont-devel-1.2.2-1.0.3.el5_6.ia64.rpm     MD5: 1afff8b7c60c977c5eba90844903081e
SHA-256: 24e2ccddd46b9228ee873308a7e18d99f106fc91c783c0d4bc6abfc9f564cb30
 
PPC:
libXfont-1.2.2-1.0.3.el5_6.ppc.rpm     MD5: 2d39b1ba5340d04f67489510cc67d5cf
SHA-256: 914a6af3193d36d323bb82420b23d0d59829baf32735eeb3a0c6b015974333d6
libXfont-1.2.2-1.0.3.el5_6.ppc64.rpm     MD5: e3053aff7a267785cf1381affbca7734
SHA-256: ccf7102b01375dde721a5cb8550682ed608c5fb3c2e82edfb57d5e3abb7b532a
libXfont-devel-1.2.2-1.0.3.el5_6.ppc.rpm     MD5: 457c273ffa5cc48153fa317047745852
SHA-256: a98ccf7226d919079994e895a40146afc2c266334e41e861104c73395064128e
libXfont-devel-1.2.2-1.0.3.el5_6.ppc64.rpm     MD5: 38faf75bcecf8aab6fdb5d79b6fd406b
SHA-256: 8d97250695a8f24f53bb26cfa6071a2dade886bc26bec3ae1a155024be59ce83
 
s390x:
libXfont-1.2.2-1.0.3.el5_6.s390.rpm     MD5: d1c938e8a8730ca343f4fc01a6410158
SHA-256: 445eb02e62c2ff6359b4f8b4ec20058d6006c197ca085519df1407cacc26e070
libXfont-1.2.2-1.0.3.el5_6.s390x.rpm     MD5: fd627deb12dafc9ce372e29c4641a8c9
SHA-256: ed9d74334deaee3d96bf0b7ddad05608588dd847cf758082083a1fae56b21782
libXfont-devel-1.2.2-1.0.3.el5_6.s390.rpm     MD5: 07b8df760eb40a3dc56230b3d8cf56a6
SHA-256: 2618429841a2c05abf621130f966de73533a6a17c0bff4bf967bfe5550f7b5e0
libXfont-devel-1.2.2-1.0.3.el5_6.s390x.rpm     MD5: a972dd93233a00266b43d54a5c31c8fe
SHA-256: 21dca1f96ca5de20adc8d6bc07301843279dafd55f5a645b87a7552f23ba998b
 
x86_64:
libXfont-1.2.2-1.0.3.el5_6.i386.rpm     MD5: 3832639898bf38de782599b31a2386d5
SHA-256: 51fefc39c9b705063b3ea40432b4fb5e5efbb3f7fbc0af77e33e9b35dc662926
libXfont-1.2.2-1.0.3.el5_6.x86_64.rpm     MD5: 98f22e66dc915c2c0a4ecd69c3d4cb7a
SHA-256: 665bb52b0c6ec4d7f841ac1689873195021f35920403952b640c4207a7970ea0
libXfont-devel-1.2.2-1.0.3.el5_6.i386.rpm     MD5: cda161863bde68e15de17384cd272a53
SHA-256: c5c903d49f79f7ba8b9769c2c98b4a06d5ce946f1ad8677343e4edc630be7b0c
libXfont-devel-1.2.2-1.0.3.el5_6.x86_64.rpm     MD5: bda55ec34a635297810638a027a6a353
SHA-256: 665315ece0c934e3216aeea0c130692bd5681ca6009ed06e24c843b5cd809b0a
 
Red Hat Enterprise Linux Long Life (v. 5.6 server)

SRPMS:
libXfont-1.2.2-1.0.3.el5_6.src.rpm     MD5: 4199722bed8b0298d6b9d2b3bc0d968d
SHA-256: 8fb919365bbf230a0641c654ea5f4ccace7d9a4bb0ab5a0c20a18e012b92b091
 
IA-32:
libXfont-1.2.2-1.0.3.el5_6.i386.rpm     MD5: 3832639898bf38de782599b31a2386d5
SHA-256: 51fefc39c9b705063b3ea40432b4fb5e5efbb3f7fbc0af77e33e9b35dc662926
libXfont-devel-1.2.2-1.0.3.el5_6.i386.rpm     MD5: cda161863bde68e15de17384cd272a53
SHA-256: c5c903d49f79f7ba8b9769c2c98b4a06d5ce946f1ad8677343e4edc630be7b0c
 
IA-64:
libXfont-1.2.2-1.0.3.el5_6.ia64.rpm     MD5: f3d2ca4f558089b633142e36e338d361
SHA-256: 5df189533c8922d251f7c62a104d1e903409194110b20c2f79f9ba464e0e8d13
libXfont-devel-1.2.2-1.0.3.el5_6.ia64.rpm     MD5: 1afff8b7c60c977c5eba90844903081e
SHA-256: 24e2ccddd46b9228ee873308a7e18d99f106fc91c783c0d4bc6abfc9f564cb30
 
x86_64:
libXfont-1.2.2-1.0.3.el5_6.i386.rpm     MD5: 3832639898bf38de782599b31a2386d5
SHA-256: 51fefc39c9b705063b3ea40432b4fb5e5efbb3f7fbc0af77e33e9b35dc662926
libXfont-1.2.2-1.0.3.el5_6.x86_64.rpm     MD5: 98f22e66dc915c2c0a4ecd69c3d4cb7a
SHA-256: 665bb52b0c6ec4d7f841ac1689873195021f35920403952b640c4207a7970ea0
libXfont-devel-1.2.2-1.0.3.el5_6.i386.rpm     MD5: cda161863bde68e15de17384cd272a53
SHA-256: c5c903d49f79f7ba8b9769c2c98b4a06d5ce946f1ad8677343e4edc630be7b0c
libXfont-devel-1.2.2-1.0.3.el5_6.x86_64.rpm     MD5: bda55ec34a635297810638a027a6a353
SHA-256: 665315ece0c934e3216aeea0c130692bd5681ca6009ed06e24c843b5cd809b0a
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

725760 - CVE-2011-2895 libXfont: LZW decompression heap corruption / infinite loop
727624 - CVE-2011-2895 BSD compress LZW decoder buffer overflow


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/