Vulnerabilities > CVE-2015-1804 - Numeric Errors vulnerability in X Libxfont

047910
CVSS 8.5 - HIGH
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
SINGLE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE

Summary

The bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont before 1.4.9 and 1.5.x before 1.5.1 does not properly perform type conversion for metrics values, which allows remote authenticated users to cause a denial of service (out-of-bounds memory access) and possibly execute arbitrary code via a crafted BDF font file.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-4199.NASL
    descriptionlibXfont 1.5.1 (CVE-2015-1802, CVE-2015-1803, CVE-2015-1804) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-03-23
    plugin id81994
    published2015-03-23
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81994
    titleFedora 22 : libXfont-1.5.1-1.fc22 (2015-4199)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2015-4199.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(81994);
      script_version("1.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2015-1802", "CVE-2015-1803", "CVE-2015-1804");
      script_bugtraq_id(73277, 73279, 73280);
      script_xref(name:"FEDORA", value:"2015-4199");
    
      script_name(english:"Fedora 22 : libXfont-1.5.1-1.fc22 (2015-4199)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "libXfont 1.5.1 (CVE-2015-1802, CVE-2015-1803, CVE-2015-1804)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2015-March/152497.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?3750b299"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected libXfont package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:libXfont");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:22");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/03/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^22([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 22.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC22", reference:"libXfont-1.5.1-1.fc22")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libXfont");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2536-1.NASL
    descriptionIlja van Sprundel, Alan Coopersmith, and William Robinet discovered that libXfont incorrectly handled malformed bdf fonts. A local attacker could use this issue to cause libXfont to crash, or possibly execute arbitrary code in order to gain privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id81951
    published2015-03-19
    reporterUbuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81951
    titleUbuntu 10.04 LTS / 12.04 LTS / 14.04 LTS / 14.10 : libxfont vulnerabilities (USN-2536-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-2536-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(81951);
      script_version("1.11");
      script_cvs_date("Date: 2019/09/18 12:31:44");
    
      script_cve_id("CVE-2015-1802", "CVE-2015-1803", "CVE-2015-1804");
      script_bugtraq_id(73277);
      script_xref(name:"USN", value:"2536-1");
    
      script_name(english:"Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS / 14.10 : libxfont vulnerabilities (USN-2536-1)");
      script_summary(english:"Checks dpkg output for updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Ubuntu host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Ilja van Sprundel, Alan Coopersmith, and William Robinet discovered
    that libXfont incorrectly handled malformed bdf fonts. A local
    attacker could use this issue to cause libXfont to crash, or possibly
    execute arbitrary code in order to gain privileges.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/2536-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected libxfont1 package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libxfont1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.10");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/03/20");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/03/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/19");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(10\.04|12\.04|14\.04|14\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 10.04 / 12.04 / 14.04 / 14.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"10.04", pkgname:"libxfont1", pkgver:"1:1.4.1-1ubuntu0.4")) flag++;
    if (ubuntu_check(osver:"12.04", pkgname:"libxfont1", pkgver:"1:1.4.4-1ubuntu0.3")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"libxfont1", pkgver:"1:1.4.7-1ubuntu0.2")) flag++;
    if (ubuntu_check(osver:"14.10", pkgname:"libxfont1", pkgver:"1:1.4.99.901-1ubuntu0.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libxfont1");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-183.NASL
    descriptionIlja van Sprundel, Alan Coopersmith and William Robinet discovered multiple issues in libxfont
    last seen2020-03-17
    modified2015-03-30
    plugin id82300
    published2015-03-30
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82300
    titleDebian DLA-183-1 : libxfont security update
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-183-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(82300);
      script_version("1.7");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2015-1802", "CVE-2015-1803", "CVE-2015-1804");
      script_bugtraq_id(73277, 73279, 73280);
    
      script_name(english:"Debian DLA-183-1 : libxfont security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Ilja van Sprundel, Alan Coopersmith and William Robinet discovered
    multiple issues in libxfont's code to process BDF fonts, which might
    result in privilege escalation.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2015/03/msg00020.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/squeeze-lts/libxfont"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxfont-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxfont1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxfont1-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxfont1-udeb");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/03/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/30");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"6.0", prefix:"libxfont-dev", reference:"1:1.4.1-5+deb6u1")) flag++;
    if (deb_check(release:"6.0", prefix:"libxfont1", reference:"1:1.4.1-5+deb6u1")) flag++;
    if (deb_check(release:"6.0", prefix:"libxfont1-dbg", reference:"1:1.4.1-5+deb6u1")) flag++;
    if (deb_check(release:"6.0", prefix:"libxfont1-udeb", reference:"1:1.4.1-5+deb6u1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3194.NASL
    descriptionIlja van Sprundel, Alan Coopersmith and William Robinet discovered multiple issues in libxfont
    last seen2020-03-17
    modified2015-03-18
    plugin id81900
    published2015-03-18
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81900
    titleDebian DSA-3194-1 : libxfont - security update
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-3194. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(81900);
      script_version("1.10");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2015-1802", "CVE-2015-1803", "CVE-2015-1804");
      script_bugtraq_id(73277, 73279, 73280);
      script_xref(name:"DSA", value:"3194");
    
      script_name(english:"Debian DSA-3194-1 : libxfont - security update");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Ilja van Sprundel, Alan Coopersmith and William Robinet discovered
    multiple issues in libxfont's code to process BDF fonts, which might
    result in privilege escalation."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/wheezy/libxfont"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2015/dsa-3194"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the libxfont packages.
    
    For the stable distribution (wheezy), these problems have been fixed
    in version 1.4.5-5."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxfont");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/03/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/18");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"7.0", prefix:"libxfont-dev", reference:"1.4.5-5")) flag++;
    if (deb_check(release:"7.0", prefix:"libxfont1", reference:"1.4.5-5")) flag++;
    if (deb_check(release:"7.0", prefix:"libxfont1-dbg", reference:"1.4.5-5")) flag++;
    if (deb_check(release:"7.0", prefix:"libxfont1-udeb", reference:"1.4.5-5")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2015-597.NASL
    descriptionAn integer overflow flaw was found in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with the privileges of the X.Org server. (CVE-2015-1802) An integer truncation flaw was discovered in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with the privileges of the X.Org server. (CVE-2015-1804) A NULL pointer dereference flaw was discovered in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server. (CVE-2015-1803)
    last seen2020-06-01
    modified2020-06-02
    plugin id86075
    published2015-09-23
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/86075
    titleAmazon Linux AMI : libXfont (ALAS-2015-597)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux AMI Security Advisory ALAS-2015-597.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(86075);
      script_version("2.2");
      script_cvs_date("Date: 2018/04/18 15:09:35");
    
      script_cve_id("CVE-2015-1802", "CVE-2015-1803", "CVE-2015-1804");
      script_xref(name:"ALAS", value:"2015-597");
      script_xref(name:"RHSA", value:"2015:1708");
    
      script_name(english:"Amazon Linux AMI : libXfont (ALAS-2015-597)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux AMI host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An integer overflow flaw was found in the way libXfont processed
    certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious,
    local user could use this flaw to crash the X.Org server or,
    potentially, execute arbitrary code with the privileges of the X.Org
    server. (CVE-2015-1802)
    
    An integer truncation flaw was discovered in the way libXfont
    processed certain Glyph Bitmap Distribution Format (BDF) fonts. A
    malicious, local user could use this flaw to crash the X.Org server
    or, potentially, execute arbitrary code with the privileges of the
    X.Org server. (CVE-2015-1804)
    
    A NULL pointer dereference flaw was discovered in the way libXfont
    processed certain Glyph Bitmap Distribution Format (BDF) fonts. A
    malicious, local user could use this flaw to crash the X.Org server.
    (CVE-2015-1803)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/ALAS-2015-597.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Run 'yum update libXfont' to update your system."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libXfont");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libXfont-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libXfont-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/09/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/09/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "A")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"ALA", reference:"libXfont-1.4.5-5.12.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"libXfont-debuginfo-1.4.5-5.12.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"libXfont-devel-1.4.5-5.12.amzn1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libXfont / libXfont-debuginfo / libXfont-devel");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-913.NASL
    descriptionThis update for libXfont fixes the following issue : - A negative DWIDTH is legal. This was broken by the security fix for CVE-2015-1804. (boo#958383).
    last seen2020-06-05
    modified2015-12-21
    plugin id87517
    published2015-12-21
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/87517
    titleopenSUSE Security Update : libXfont (openSUSE-2015-913)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2015-913.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(87517);
      script_version("2.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2015-1804");
    
      script_name(english:"openSUSE Security Update : libXfont (openSUSE-2015-913)");
      script_summary(english:"Check for the openSUSE-2015-913 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for libXfont fixes the following issue :
    
      - A negative DWIDTH is legal. This was broken by the
        security fix for CVE-2015-1804. (boo#958383)."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=958383"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected libXfont packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libXfont-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libXfont-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libXfont-devel-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libXfont1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libXfont1-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libXfont1-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libXfont1-debuginfo-32bit");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/12/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/12/21");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE13\.1|SUSE13\.2|SUSE42\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "13.1 / 13.2 / 42.1", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE13.1", reference:"libXfont-debugsource-1.4.6-2.15.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"libXfont-devel-1.4.6-2.15.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"libXfont1-1.4.6-2.15.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"libXfont1-debuginfo-1.4.6-2.15.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"libXfont-devel-32bit-1.4.6-2.15.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"libXfont1-32bit-1.4.6-2.15.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"libXfont1-debuginfo-32bit-1.4.6-2.15.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"libXfont-debugsource-1.5.0-2.7.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"libXfont-devel-1.5.0-2.7.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"libXfont1-1.5.0-2.7.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"libXfont1-debuginfo-1.5.0-2.7.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"libXfont-devel-32bit-1.5.0-2.7.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"libXfont1-32bit-1.5.0-2.7.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"libXfont1-debuginfo-32bit-1.5.0-2.7.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"libXfont-debugsource-1.5.1-7.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"libXfont-devel-1.5.1-7.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"libXfont1-1.5.1-7.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"libXfont1-debuginfo-1.5.1-7.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"libXfont-devel-32bit-1.5.1-7.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"libXfont1-32bit-1.5.1-7.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"libXfont1-debuginfo-32bit-1.5.1-7.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libXfont-debugsource / libXfont-devel / libXfont-devel-32bit / etc");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-266.NASL
    descriptionlibXFont was updated to fix three vulnerabilities when parsing BDF files (bnc#921978) As libXfont is used by the X server to read font files, and an unprivileged user with access to the X server can tell the X server to read a given font file from a path of their choosing, these vulnerabilities have the potential to allow unprivileged users to run code with the privileges of the X server. The following vulnerabilities were fixed : - The BDF parser could allocate the a wrong buffer size, leading to out of bound writes (CVE-2015-1802) - The BDF parser could crash when trying to read an invalid pointer (CVE-2015-1803) - The BDF parser could read 32 bit metrics values into 16 bit integers, causing an out-of-bound memory access though integer overflow (CVE-2015-1804)
    last seen2020-06-05
    modified2015-03-30
    plugin id82424
    published2015-03-30
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82424
    titleopenSUSE Security Update : libXfont (openSUSE-2015-266)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2015-266.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(82424);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2015-1802", "CVE-2015-1803", "CVE-2015-1804");
    
      script_name(english:"openSUSE Security Update : libXfont (openSUSE-2015-266)");
      script_summary(english:"Check for the openSUSE-2015-266 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "libXFont was updated to fix three vulnerabilities when parsing BDF
    files (bnc#921978)
    
    As libXfont is used by the X server to read font files, and an
    unprivileged user with access to the X server can tell the X server to
    read a given font file from a path of their choosing, these
    vulnerabilities have the potential to allow unprivileged users to run
    code with the privileges of the X server.
    
    The following vulnerabilities were fixed :
    
      - The BDF parser could allocate the a wrong buffer size,
        leading to out of bound writes (CVE-2015-1802)
    
      - The BDF parser could crash when trying to read an
        invalid pointer (CVE-2015-1803)
    
      - The BDF parser could read 32 bit metrics values into 16
        bit integers, causing an out-of-bound memory access
        though integer overflow (CVE-2015-1804)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=921978"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected libXfont packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libXfont-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libXfont-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libXfont-devel-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libXfont1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libXfont1-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libXfont1-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libXfont1-debuginfo-32bit");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/03/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/30");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE13\.1|SUSE13\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "13.1 / 13.2", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE13.1", reference:"libXfont-debugsource-1.4.6-2.12.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"libXfont-devel-1.4.6-2.12.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"libXfont1-1.4.6-2.12.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"libXfont1-debuginfo-1.4.6-2.12.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"libXfont-devel-32bit-1.4.6-2.12.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"libXfont1-32bit-1.4.6-2.12.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"libXfont1-debuginfo-32bit-1.4.6-2.12.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"libXfont-debugsource-1.5.0-2.4.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"libXfont-devel-1.5.0-2.4.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"libXfont1-1.5.0-2.4.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"libXfont1-debuginfo-1.5.0-2.4.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"libXfont-devel-32bit-1.5.0-2.4.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"libXfont1-32bit-1.5.0-2.4.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", cpu:"x86_64", reference:"libXfont1-debuginfo-32bit-1.5.0-2.4.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libXfont-debugsource / libXfont-devel / libXfont-devel-32bit / etc");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2015-1708.NASL
    descriptionFrom Red Hat Security Advisory 2015:1708 : An updated libXfont package that fixes three security issues is now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The libXfont package provides the X.Org libXfont runtime library. X.Org is an open source implementation of the X Window System. An integer overflow flaw was found in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with the privileges of the X.Org server. (CVE-2015-1802) An integer truncation flaw was discovered in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with the privileges of the X.Org server. (CVE-2015-1804) A NULL pointer dereference flaw was discovered in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server. (CVE-2015-1803) All libXfont users are advised to upgrade to this updated package, which contains backported patches to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id85780
    published2015-09-04
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85780
    titleOracle Linux 6 / 7 : libXfont (ELSA-2015-1708)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_F7D79FACCD4911E4898FBCAEC565249C.NASL
    descriptionAlan Coopersmith reports : Ilja van Sprundel, a security researcher with IOActive, has discovered an issue in the parsing of BDF font files by libXfont. Additional testing by Alan Coopersmith and William Robinet with the American Fuzzy Lop (afl) tool uncovered two more issues in the parsing of BDF font files. As libXfont is used by the X server to read font files, and an unprivileged user with access to the X server can tell the X server to read a given font file from a path of their choosing, these vulnerabilities have the potential to allow unprivileged users to run code with the privileges of the X server (often root access).
    last seen2020-06-01
    modified2020-06-02
    plugin id81901
    published2015-03-18
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81901
    titleFreeBSD : libXfont -- BDF parsing issues (f7d79fac-cd49-11e4-898f-bcaec565249c)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201507-21.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201507-21 (libXfont: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in libXfont. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id84935
    published2015-07-23
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84935
    titleGLSA-201507-21 : libXfont: Multiple vulnerabilities
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-1708.NASL
    descriptionAn updated libXfont package that fixes three security issues is now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The libXfont package provides the X.Org libXfont runtime library. X.Org is an open source implementation of the X Window System. An integer overflow flaw was found in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with the privileges of the X.Org server. (CVE-2015-1802) An integer truncation flaw was discovered in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with the privileges of the X.Org server. (CVE-2015-1804) A NULL pointer dereference flaw was discovered in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server. (CVE-2015-1803) All libXfont users are advised to upgrade to this updated package, which contains backported patches to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id85973
    published2015-09-17
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85973
    titleRHEL 6 / 7 : libXfont (RHSA-2015:1708)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2015-0120.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - CVE-2015-1802: missing range check in bdfReadProperties (bug 1258892) - CVE-2015-1803: crash on invalid read in bdfReadCharacters (bug 1258892) - CVE-2015-1804: out-of-bounds memory access in bdfReadCharacters (bug 1258892)
    last seen2020-06-01
    modified2020-06-02
    plugin id85784
    published2015-09-04
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85784
    titleOracleVM 3.3 : libXfont (OVMSA-2015-0120)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2015-145.NASL
    descriptionUpdated libxfont packages fix security vulnerabilities : Ilja van Sprundel discovered that libXfont incorrectly handled font metadata file parsing. A local attacker could use this issue to cause libXfont to crash, or possibly execute arbitrary code in order to gain privileges (CVE-2014-0209). Ilja van Sprundel discovered that libXfont incorrectly handled X Font Server replies. A malicious font server could return specially crafted data that could cause libXfont to crash, or possibly execute arbitrary code (CVE-2014-0210, CVE-2014-0211). The bdf parser reads a count for the number of properties defined in a font from the font file, and allocates arrays with entries for each property based on that count. It never checked to see if that count was negative, or large enough to overflow when multiplied by the size of the structures being allocated, and could thus allocate the wrong buffer size, leading to out of bounds writes (CVE-2015-1802). If the bdf parser failed to parse the data for the bitmap for any character, it would proceed with an invalid pointer to the bitmap data and later crash when trying to read the bitmap from that pointer (CVE-2015-1803). The bdf parser read metrics values as 32-bit integers, but stored them into 16-bit integers. Overflows could occur in various operations leading to out-of-bounds memory access (CVE-2015-1804).
    last seen2020-06-01
    modified2020-06-02
    plugin id82398
    published2015-03-30
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82398
    titleMandriva Linux Security Advisory : libxfont (MDVSA-2015:145-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-4230.NASL
    descriptionSecurity fix for CVE-2015-1802, CVE-2015-1803, CVE-2015-1804 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-03-25
    plugin id82057
    published2015-03-25
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82057
    titleFedora 21 : libXfont-1.5.1-1.fc21 (2015-4230)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2015-1708.NASL
    descriptionAn updated libXfont package that fixes three security issues is now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The libXfont package provides the X.Org libXfont runtime library. X.Org is an open source implementation of the X Window System. An integer overflow flaw was found in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with the privileges of the X.Org server. (CVE-2015-1802) An integer truncation flaw was discovered in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with the privileges of the X.Org server. (CVE-2015-1804) A NULL pointer dereference flaw was discovered in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server. (CVE-2015-1803) All libXfont users are advised to upgrade to this updated package, which contains backported patches to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id86506
    published2015-10-22
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/86506
    titleCentOS 6 / 7 : libXfont (CESA-2015:1708)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20150903_LIBXFONT_ON_SL6_X.NASL
    descriptionAn integer overflow flaw was found in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with the privileges of the X.Org server. (CVE-2015-1802) An integer truncation flaw was discovered in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with the privileges of the X.Org server. (CVE-2015-1804) A NULL pointer dereference flaw was discovered in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server. (CVE-2015-1803)
    last seen2020-03-18
    modified2015-09-04
    plugin id85788
    published2015-09-04
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85788
    titleScientific Linux Security Update : libXfont on SL6.x, SL7.x i386/x86_64 (20150903)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_XORG-X11-DEVEL-150317.NASL
    descriptionLibXFont was updated to fix security problems that could be used by local attackers to gain X server privileges (root). The following security issues have been fixed : - The bdf parser reads a count for the number of properties defined in a font from the font file, and allocates arrays with entries for each property based on that count. It never checked to see if that count was negative, or large enough to overflow when multiplied by the size of the structures being allocated, and could thus allocate the wrong buffer size, leading to out of bounds writes. (CVE-2015-1802) - If the bdf parser failed to parse the data for the bitmap for any character, it would proceed with an invalid pointer to the bitmap data and later crash when trying to read the bitmap from that pointer. (CVE-2015-1803) - The bdf parser read metrics values as 32-bit integers, but stored them into 16-bit integers. Overflows could occur in various operations leading to out-of-bounds memory access. (CVE-2015-1804)
    last seen2020-06-01
    modified2020-06-02
    plugin id82641
    published2015-04-08
    reporterThis script is Copyright (C) 2015 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82641
    titleSuSE 11.3 Security Update : xorg-x11-libs (SAT Patch Number 10487)

Redhat

advisories
bugzilla
id1203719
titleCVE-2015-1804 libXfont: out-of-bounds memory access in bdfReadCharacters
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 6 is installed
      ovaloval:com.redhat.rhba:tst:20111656003
    • OR
      • AND
        • commentlibXfont is earlier than 0:1.4.5-5.el6_7
          ovaloval:com.redhat.rhsa:tst:20151708001
        • commentlibXfont is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20111154007
      • AND
        • commentlibXfont-devel is earlier than 0:1.4.5-5.el6_7
          ovaloval:com.redhat.rhsa:tst:20151708003
        • commentlibXfont-devel is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20111154009
  • AND
    • commentRed Hat Enterprise Linux 7 is installed
      ovaloval:com.redhat.rhba:tst:20150364027
    • OR
      • AND
        • commentlibXfont is earlier than 0:1.4.7-3.el7_1
          ovaloval:com.redhat.rhsa:tst:20151708006
        • commentlibXfont is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20111154007
      • AND
        • commentlibXfont-devel is earlier than 0:1.4.7-3.el7_1
          ovaloval:com.redhat.rhsa:tst:20151708007
        • commentlibXfont-devel is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20111154009
rhsa
idRHSA-2015:1708
released2015-09-03
severityImportant
titleRHSA-2015:1708: libXfont security update (Important)
rpms
  • libXfont-0:1.4.5-5.el6_7
  • libXfont-0:1.4.7-3.ael7b_1
  • libXfont-0:1.4.7-3.el7_1
  • libXfont-debuginfo-0:1.4.5-5.el6_7
  • libXfont-debuginfo-0:1.4.7-3.ael7b_1
  • libXfont-debuginfo-0:1.4.7-3.el7_1
  • libXfont-devel-0:1.4.5-5.el6_7
  • libXfont-devel-0:1.4.7-3.ael7b_1
  • libXfont-devel-0:1.4.7-3.el7_1