Debian 10230 Published by

Updated libxfont packages has been released for Debian GNU/Linux 7 LTS



Package : libxfont
Version : 1:1.4.5-5+deb7u1
CVE IDs : CVE-2017-13720 CVE-2017-13722

It was discovered that there two vulnerabilities the library providing
font selection and rasterisation, libxfont:

* CVE-2017-13720: If a pattern contained a '?' character any character
in the string is skipped even if it was a '\0'. The rest of the
matching then read invalid memory.

* CVE-2017-13722: A malformed PCF file could cause the library to make
reads from random heap memory that was behind the `strings` buffer,
leading to an application crash or a information leak.

For Debian 7 "Wheezy", this issue has been fixed in libxfont version
1:1.4.5-5+deb7u1.

We recommend that you upgrade your libxfont packages.