On 2017-11-01 01:07 PM, Alexander Kanavin wrote:
On 11/01/2017 06:28 PM, Catalin Enache wrote:
In the PatternMatch function in fontfile/fontdir.c in libXfont through
1.5.2
and 2.x before 2.0.2, an attacker with access to an X connection can
cause
a buffer over-read during pattern matching of fonts, leading to
information
disclosure or a crash (denial of service). This occurs because '\0'
characters are incorrectly skipped in situations involving ? characters.
In the pcfGetProperties function in bitmap/pcfread.c in libXfont
through 1.5.2
and 2.x before 2.0.2, a missing boundary check (for PCF files) could
be used
by local attackers authenticated to an Xserver for a buffer over-read,
for
information disclosure or a crash of the X server.
If both 1.x and 2.x are vulnerable, you should update them both (not
just 1.x).
Sure but 2.x isn't in morty, see below.
Also, it's better to update to a version that is not
vulnerable, rather than backport patches.
Alex
Alex,
Catalin works on the WR sustaining team so his mandate is to take care
of released products where updating isn't typically permitted.
Now that oe-core-2.2 is out, we'll be sending patches for rocko as
well but we're in a transition time for a while so bear with us please.
If master and rocko have the same code, then of course we Catalin would
target master and arrange to have the commit backported.
Catalin,
Please tag your commits if they are strictly for the morty
branch using something like:
[OE-core][morty][PATCH] foo: the bar should be zinged
[OE-core][PATCH][morty] foo: the bar should be zinged
as per:
https://wiki.yoctoproject.org/wiki/Stable_branch_maintenance
Thanks,
--
# Randy MacLeod. WR Linux
# Wind River an Intel Company
--
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
