Conectiva alert: XFree86

Posted by dave on Feb 20, 2004 10:38 AM EDT
Mailing list
Mail this story
Print this story

A variety of issues are addressed in this update.


- -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - --------------------------------------------------------------------------

PACKAGE : XFree86 SUMMARY : Fix for font related vulnerabilities DATE : 2004-02-20 15:45:00 ID : CLA-2004:821 RELEVANT RELEASES : 8, 9

- -------------------------------------------------------------------------

DESCRIPTION XFree86[1] is a freely redistributable open-source implementation of the X Window System, which is a client/server interface between display hardware and the desktop environment. Xlib is one of the main libraries of XFree86 ( The following issues are being addressed in this update: - Improper handling of font files (CAN-2004-0083[2], CAN-2004-0084[4] and CAN-2004-0106[6]) Greg MacManus from iDEFENSE Labs discovered[3][5] two vulnerabilities in the way the X server deals with font files. David Dawes from the XFree86 team did some further audit and found more similar problems[6]. All these vulnerabilities allow attackers who can authenticate against the X server, or locally start it, to execute arbitrary code as root. - Multiple integer overflows in font libraries (CAN-2003-0730)[7] [] of isen reported[8] multiple integer overflows in the XFree86 font libraries that allow local or remote attackers to cause a denial of service or execute arbitrary code via heap-based and stack-based buffer overflow attacks.

SOLUTION It is recommended that all XFree86 users upgrade their packages. REFERENCES 1. 2. 3. 4. 5.


ADDITIONAL INSTRUCTIONS The apt tool can be used to perform RPM packages upgrades:

- run: apt-get update - after that, execute: apt-get upgrade

Detailed instructions regarding the use of apt and upgrade examples can be found at

- ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at Instructions on how to check the signatures of the RPM packages can be found at

- ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at

- ------------------------------------------------------------------------- Copyright (c) 2004 Conectiva Inc.

- ------------------------------------------------------------------------- subscribe: [] unsubscribe: [] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see

iD8DBQFANkg442jd0JmAcZARAs0TAJwLBr4bX9EWhUv0T4Vp7yg7LbrVpwCeN55N NeVp3BN/EbxEjiyYn34Xa3o= =GcSG -----END PGP SIGNATURE-----

» Read more about: Story Type: Security; Groups: Conectiva

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.