CVE-2017-13720

Summary

CVE	CVE-2017-13720
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2017-10-11 17:29:00 UTC
Updated	2017-11-13 02:29:00 UTC
Description	In the PatternMatch function in fontfile/fontdir.c in libXfont through 1.5.2 and 2.x before 2.0.2, an attacker with access to an X connection can cause a buffer over-read during pattern matching of fonts, leading to information disclosure or a crash (denial of service). This occurs because '\0' characters are incorrectly skipped in situations involving ? characters.

Risk And Classification

Problem Types: CWE-125

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	X.org	Libxfont	2.0.0	All	All	All
Application	X.org	Libxfont	2.0.1	All	All	All
Application	X.org	Libxfont	2.0.0	All	All	All
Application	X.org	Libxfont	2.0.1	All	All	All
Application	X.org	Libxfont	All	All	All	All

References

Reference	Source	Link	Tags
Bug 1054285 – VUL-1: CVE-2017-13720: libXfont: string overread / Check for end of string in PatterMatch.	CONFIRM	bugzilla.suse.com	Issue Tracking, Third Party Advisory
LibXfont, LibXfont2: Multiple vulnerabilities (GLSA 201711-08) — Gentoo security	GENTOO	security.gentoo.org
Debian -- Security Information -- DSA-3995-1 libxfont	DEBIAN	www.debian.org
www.x.org/releases/individual/lib/libXfont2-2.0.2.tar.bz2	CONFIRM	www.x.org	Vendor Advisory
xorg/lib/libXfont - X font handling library for server & utilities	CONFIRM	cgit.freedesktop.org	Patch, Third Party Advisory
Bug 1500690 – CVE-2017-13720 libXfont: Insufficient input validation in fontdir.c	CONFIRM	bugzilla.redhat.com	Issue Tracking, Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

710462 Gentoo Linux LibXfont, LibXfont2 Multiple Vulnerabilities (GLSA 201711-08)