992534 – (CVE-2016-5384) VUL-1: CVE-2016-5384: fontconfig: Possible double free due to insufficiently validated cache files

Bug 992534 (CVE-2016-5384) - VUL-1: CVE-2016-5384: fontconfig: Possible double free due to insufficiently validated cache files

Summary: VUL-1: CVE-2016-5384: fontconfig: Possible double free due to insufficiently ...

Status:	RESOLVED FIXED

Alias:	CVE-2016-5384

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/171657/
Whiteboard:	CVSSv2:SUSE:CVE-2016-5384:3.7:(AV:L/A...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-08-08 07:22 UTC by Sebastian Krahmer
Modified:	2016-09-28 16:20 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Krahmer 2016-08-08 07:22:17 UTC

Quoting from RH BZ:

It was reported that offsets contained in cache files aren't checked if they're in legal ranges or are pointers at all. The lack of validation allows an attacker to trigger arbitrary free() calls, which in turn allows double free attacks and therefore arbitrary code execution. When used with setuid binaries using crafted cachefiles, privilege escalation is possible.
rh#1350891



References:
https://bugzilla.redhat.com/show_bug.cgi?id=1350891
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5384

Comment 2 Petr Gajdos 2016-08-11 11:52:53 UTC

https://lists.freedesktop.org/archives/fontconfig/2016-August/005792.html

Comment 4 Petr Gajdos 2016-08-11 15:05:47 UTC

10sp3 looks not affected (or at least I do not see the code there).

Comment 6 Sebastian Krahmer 2016-08-30 07:51:45 UTC

released

Comment 7 Swamp Workflow Management 2016-08-30 11:09:22 UTC

SUSE-SU-2016:2186-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 992534
CVE References: CVE-2016-5384
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    fontconfig-2.6.0-10.19.1
SUSE Linux Enterprise Server 11-SP4 (src):    fontconfig-2.6.0-10.19.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    fontconfig-2.6.0-10.19.1

Comment 8 Swamp Workflow Management 2016-08-30 11:11:24 UTC

SUSE-SU-2016:2190-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 992534
CVE References: CVE-2016-5384
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    fontconfig-2.11.0-6.1
SUSE Linux Enterprise Server 12-SP1 (src):    fontconfig-2.11.0-6.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    fontconfig-2.11.0-6.1

Comment 9 Swamp Workflow Management 2016-09-09 12:09:15 UTC

openSUSE-SU-2016:2272-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 992534
CVE References: CVE-2016-5384
Sources used:
openSUSE Leap 42.1 (src):    fontconfig-2.11.0-5.1