diff -u libxfont-1.5.1/debian/changelog libxfont-1.5.1/debian/changelog --- libxfont-1.5.1/debian/changelog +++ libxfont-1.5.1/debian/changelog @@ -1,3 +1,12 @@ +libxfont (1:1.5.1-1ubuntu0.16.04.4) xenial-security; urgency=medium + + * SECURITY UPDATE: non-privileged arbitrary file access + - debian/patches/CVE-2017-16611.patch: open files with O_NOFOLLOW in + src/fontfile/dirfile.c, src/fontfile/fileio.c. + - CVE-2017-16611 + + -- Marc Deslauriers Tue, 28 Nov 2017 14:46:50 -0500 + libxfont (1:1.5.1-1ubuntu0.16.04.3) xenial-security; urgency=medium * SECURITY UPDATE: invalid memory read in PatternMatch diff -u libxfont-1.5.1/debian/patches/series libxfont-1.5.1/debian/patches/series --- libxfont-1.5.1/debian/patches/series +++ libxfont-1.5.1/debian/patches/series @@ -3,0 +4 @@ +CVE-2017-16611.patch only in patch2: unchanged: --- libxfont-1.5.1.orig/debian/patches/CVE-2017-16611.patch +++ libxfont-1.5.1/debian/patches/CVE-2017-16611.patch @@ -0,0 +1,104 @@ +From 5ed8ac0e4f063825b8ecda48e9a111d3ce92e825 Mon Sep 17 00:00:00 2001 +From: Michal Srb +Date: Thu, 26 Oct 2017 09:48:13 +0200 +Subject: Open files with O_NOFOLLOW. (CVE-2017-16611) + +A non-privileged X client can instruct X server running under root to open any +file by creating own directory with "fonts.dir", "fonts.alias" or any font file +being a symbolic link to any other file in the system. X server will then open +it. This can be issue with special files such as /dev/watchdog. + +Reviewed-by: Matthieu Herrb + +diff --git a/src/fontfile/dirfile.c b/src/fontfile/dirfile.c +index 38ced75..661787a 100644 +--- a/src/fontfile/dirfile.c ++++ b/src/fontfile/dirfile.c +@@ -41,6 +41,7 @@ in this Software without prior written authorization from The Open Group. + #include + #include + #include ++#include + #include + #include + +@@ -60,8 +61,9 @@ FontFileReadDirectory (const char *directory, FontDirectoryPtr *pdir) + char dir_file[MAXFONTFILENAMELEN]; + char dir_path[MAXFONTFILENAMELEN]; + char *ptr; +- FILE *file; +- int count, ++ FILE *file = 0; ++ int file_fd, ++ count, + num_fonts, + status; + struct stat statb; +@@ -91,7 +93,14 @@ FontFileReadDirectory (const char *directory, FontDirectoryPtr *pdir) + if (dir_file[strlen(dir_file) - 1] != '/') + strcat(dir_file, "/"); + strcat(dir_file, FontDirFile); ++#ifndef WIN32 ++ file_fd = open(dir_file, O_RDONLY | O_NOFOLLOW); ++ if (file_fd >= 0) { ++ file = fdopen(file_fd, "rt"); ++ } ++#else + file = fopen(dir_file, "rt"); ++#endif + if (file) { + #ifndef WIN32 + if (fstat (fileno(file), &statb) == -1) +@@ -261,7 +270,8 @@ ReadFontAlias(char *directory, Bool isFile, FontDirectoryPtr *pdir) + char alias[MAXFONTNAMELEN]; + char font_name[MAXFONTNAMELEN]; + char alias_file[MAXFONTFILENAMELEN]; +- FILE *file; ++ int file_fd; ++ FILE *file = 0; + FontDirectoryPtr dir; + int token; + char *lexToken; +@@ -279,7 +289,16 @@ ReadFontAlias(char *directory, Bool isFile, FontDirectoryPtr *pdir) + strcat(alias_file, "/"); + strcat(alias_file, FontAliasFile); + } ++ ++#ifndef WIN32 ++ file_fd = open(alias_file, O_RDONLY | O_NOFOLLOW); ++ if (file_fd >= 0) { ++ file = fdopen(file_fd, "rt"); ++ } ++#else + file = fopen(alias_file, "rt"); ++#endif ++ + if (!file) + return ((errno == ENOENT) ? Successful : BadFontPath); + if (!dir) +diff --git a/src/fontfile/fileio.c b/src/fontfile/fileio.c +index d44cecd..992873a 100644 +--- a/src/fontfile/fileio.c ++++ b/src/fontfile/fileio.c +@@ -39,6 +39,9 @@ in this Software without prior written authorization from The Open Group. + #ifndef O_CLOEXEC + #define O_CLOEXEC 0 + #endif ++#ifndef O_NOFOLLOW ++#define O_NOFOLLOW 0 ++#endif + + FontFilePtr + FontFileOpen (const char *name) +@@ -47,7 +50,7 @@ FontFileOpen (const char *name) + int len; + BufFilePtr raw, cooked; + +- fd = open (name, O_BINARY|O_CLOEXEC); ++ fd = open (name, O_BINARY|O_CLOEXEC|O_NOFOLLOW); + if (fd < 0) + return 0; + raw = BufFileOpenRead (fd); +-- +cgit v0.10.2 +