Login
Login-Name Passwort


 
Newsletter
Werbung

Sicherheit: Ausführen beliebiger Kommandos in fontconfig
Aktuelle Meldungen Distributionen
Name: Ausführen beliebiger Kommandos in fontconfig
ID: DSA-3644-1
Distribution: Debian
Plattformen: Debian sid, Debian jessie
Datum: Mo, 8. August 2016, 22:54
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5384

Originalnachricht

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3644-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
August 08, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : fontconfig
CVE ID : CVE-2016-5384
Debian Bug : 833570

Tobias Stoeckmann discovered that cache files are insufficiently
validated in fontconfig, a generic font configuration library. An
attacker can trigger arbitrary free() calls, which in turn allows double
free attacks and therefore arbitrary code execution. In combination with
setuid binaries using crafted cache files, this could allow privilege
escalation.

For the stable distribution (jessie), this problem has been fixed in
version 2.11.0-6.3+deb8u1.

For the unstable distribution (sid), this problem has been fixed in
version 2.11.0-6.5.

We recommend that you upgrade your fontconfig packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXqLSmAAoJEAVMuPMTQ89EiD4P/3KOmBFD+qXc+z3bYbaIU4ED
1D/y9kj6janO2Ud1A/BhGarBcMIUIeB2qzpFmPv4bvGUfzmqMu5gQu820A09ua5W
ACkV6cBkhCHFXQLgE5ACnVG/tz3bZjr41t6G7UIsyi0/GSTNkE2cgx8rYLERdGX9
EkU8HzSGUE9ksVCIDH55pjUOfpEWhS55IVkCq/dj7X6PpcgUyUfVeJto35UaaYJa
rfu+Wqz4MQ94L1x/U86+/7Px1VCAkf0UihyOwdpWVroPeMmHOq9ufx+A6m+S2UEO
JV/JyVb0f8oMlgKtogSdbOHXeC2WoodSZuvFn9/Tphr0urr28cwQaxxBCDzo6jCX
MEnTLgk/CCb2AymdtFdTnrCxzJRr65Y+7BkaH04uByBqZsz013frkAtSq4X+cDVQ
25OlvaCOx8cxdSQ5RfOxDaE9y8/YJ7g29aX6YMjL3WBAVbFXyjfQgR4BGnLT/ISC
AgStUOC1kxITMHfIh7WcAcxf2ERaZ9XMb639gn6WNBXveEk/97QqiRzFBjki42tu
FRYk5sBU9dphdlWCazVdi438r7phmZ5imPC2GSP5InoOQ3n56nftTeFHik92r1cU
BMYK2XNs0lLBwTYYtONgxeUOAByP2QY7JpNnYDju6mLRu5jLs/AT8KevUGE8mQnr
T5vbbxehs6hL+4yESxjk
=eJpz
-----END PGP SIGNATURE-----
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung