Date: Wed, 8 Jan 2014 10:42:05 +0000 (UTC) From: Niclas Zeising <zeising@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r339086 - in head: security/vuxml x11-fonts/libXfont Message-ID: <201401081042.s08Ag5Hf021085@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: zeising Date: Wed Jan 8 10:42:04 2014 New Revision: 339086 URL: http://svnweb.freebsd.org/changeset/ports/339086 Log: Update libXfont to 1.4.7 This is a security fix and it is important to update, since it might lead to a privilege escalation if the X server is run as root (which is the default) Security: CVE-2013-6462 Modified: head/security/vuxml/vuln.xml head/x11-fonts/libXfont/Makefile head/x11-fonts/libXfont/distinfo Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Wed Jan 8 10:22:03 2014 (r339085) +++ head/security/vuxml/vuln.xml Wed Jan 8 10:42:04 2014 (r339086) @@ -51,6 +51,40 @@ Note: Please add new entries to the beg --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="28c575fa-784e-11e3-8249-001cc0380077"> + <topic>libXfont -- Stack buffer overflow in parsing of BDF font files in libXfont</topic> + <affects> + <package> + <name>libXfont</name> + <range><lt>1.4.7,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>freedesktop.org reports:</p> + <blockquote cite="http://lists.x.org/archives/xorg-announce/2014-January/002389.html">; + <p>A BDF font file containing a longer than expected string can cause + a buffer overflow on the stack. Testing in X servers built with + Stack Protector restulted in an immediate crash when reading a + user-proveded specially crafted font.</p> + <p>As libXfont is used to read user-specified font files in all X + servers distributed by X.Org, including the Xorg server which is + often run with root privileges or as setuid-root in order to access + hardware, this bug may lead to an unprivileged user acquiring root + privileges in some systems.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2013-6462</cvename> + <url>http://lists.x.org/archives/xorg-announce/2014-January/002389.html</url>; + </references> + <dates> + <discovery>2013-12-24</discovery> + <entry>2014-01-08</entry> + </dates> + </vuln> + <vuln vid="5aaa257e-772d-11e3-a65a-3c970e169bc2"> <topic>openssl -- multiple vulnerabilities</topic> <affects> Modified: head/x11-fonts/libXfont/Makefile ============================================================================== --- head/x11-fonts/libXfont/Makefile Wed Jan 8 10:22:03 2014 (r339085) +++ head/x11-fonts/libXfont/Makefile Wed Jan 8 10:42:04 2014 (r339086) @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= libXfont -PORTVERSION= 1.4.6 +PORTVERSION= 1.4.7 PORTEPOCH= 1 CATEGORIES= x11-fonts Modified: head/x11-fonts/libXfont/distinfo ============================================================================== --- head/x11-fonts/libXfont/distinfo Wed Jan 8 10:22:03 2014 (r339085) +++ head/x11-fonts/libXfont/distinfo Wed Jan 8 10:42:04 2014 (r339086) @@ -1,2 +1,2 @@ -SHA256 (xorg/lib/libXfont-1.4.6.tar.bz2) = d0cbfe4554dc17ceea413cdad5601d35ed8d05d5b880e60931a8775fd1157e9f -SIZE (xorg/lib/libXfont-1.4.6.tar.bz2) = 489067 +SHA256 (xorg/lib/libXfont-1.4.7.tar.bz2) = d16ea3541835d296b19cfb05d7e64fc62173d8e7eb93284402ec761b951d1543 +SIZE (xorg/lib/libXfont-1.4.7.tar.bz2) = 482851
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201401081042.s08Ag5Hf021085>