Bug 2511

Summary: libxfont needs to be updated to 1.4.4 (security fix)
Product: Mageia Reporter: Thierry Vignaud <thierry.vignaud>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, dmorganec, eeeemail, sysadmin-bugs
Version: 1Keywords: Junior_job, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: libxfont CVE:
Status comment:

Description Thierry Vignaud 2011-08-25 14:22:04 CEST 
libxfont needs to be updated to 1.4.4 (security fix).
We could either backport the new release (mainly the security fix + a memleak) or backport the fix:

---------- Forwarded message ----------
The major change in this release is a fix for:

  LZW decompress: fix for CVE-2011-2895

  Specially crafted LZW stream can crash an application using libXfont
  that is used to open untrusted font files.  With X server, this may
  allow privilege escalation when exploited

More information about this security issue can be found in the advisory at:
http://lists.freedesktop.org/archives/xorg-announce/2011-August/001721.html


Alan Coopersmith (2):
    Sun's copyrights belong to Oracle now
    Fix memory leak in allocation failure path of BitmapOpenScalable()

Gaetan Nadon (4):
    config: HTML file generation: use the installed copy of xorg.css
    config: remove AC_PROG_CC as it overrides AC_PROG_C_C99
    config: comment, minor upgrade, quote and layout configure.ac
    doc: use common makefile for developers documentation

Matthieu Herrb (1):
    libXfont 1.4.4

Paulo Zanoni (1):
    Use docbookx.dtd version 4.3 for all docs

Thomas Hoger (1):
    LZW decompress: fix for CVE-2011-2895

git tag: libXfont-1.4.4

http://xorg.freedesktop.org/archive/individual/lib/libXfont-1.4.4.tar.bz2
MD5:  f9942bc818d39094d7295b156a729393
SHA1: 189dd7a3756cb80bcf41b779bf05ec3c366e3041
SHA256: a2065f5f66882f7a9cb0eb674e16d284da48e449af443eda272e99832be8239a

http://xorg.freedesktop.org/archive/individual/lib/libXfont-1.4.4.tar.gz
MD5:  21312cee1347deaca18453f70c272ab0
SHA1: e5db2aaf6f35a28efdb0ef24e8839a5cd8f7d84d
SHA256: c52a978748d12ba0bbf54e60542e8e2ae5b624821e02b78cd2dc30b2aa9bb804
Comment 1 D Morgan 2011-08-25 14:35:22 CEST 
what kind of tests QA can do to validate this update ?

CC: (none) => dmorganec

Comment 2 Thierry Vignaud 2011-08-25 15:39:46 CEST 
http://lists.freedesktop.org/archives/xorg-announce/2011-August/001721.html

=> http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d11ee5886e9d9ec610051a206b135a4cdc1e09a0 (the fix)

=> https://bugzilla.redhat.com/show_bug.cgi?id=725760
(redhat tracking bug)

no test case provided but it has been assigned a CVE ID and has been pushed by other distros
Comment 3 Manuel Hiebel 2011-08-30 10:11:42 CEST 
Thierry, can you update libxfont ?
Thierry Vignaud 2011-08-31 11:16:14 CEST

Assignee: bugsquad => security

Manuel Hiebel 2011-09-01 14:36:59 CEST

Keywords: (none) => Junior_job

Comment 4 D Morgan 2011-09-04 02:26:34 CEST 
pushed in update_testing.

Assignee: security => qa-bugs

Comment 5 claire robinson 2011-09-04 15:50:29 CEST 
As there is no practical way to test the security fix, what steps can we take to check libXfont works as expected?

Thanks

CC: (none) => eeeemail

Comment 6 claire robinson 2011-09-08 14:54:34 CEST 
libxfont appears to be used by Remmina, which works/displays correctly.

TTY's also display correctly.

Is this sufficient testing to be able to validate this update?



If so then i586 checked OK.
Comment 7 Dave Hodgins 2011-09-09 03:36:17 CEST 
(In reply to comment #6)
> libxfont appears to be used by Remmina, which works/displays correctly.

It's actually used by /usr/bin/Xorg, so you have to restart the X server
after installing the update.  Then any X application that displays text
is adequate for the test.

Testing complete on i586.  Anyone tested on x86-64?

The srpm is libxfont-1.4.3-1.1.mga1.src.rpm

Advisory:
This security update for libXfont fixes a bug the LZW decompress
routine, as described in CVE-2011-2895.

CC: (none) => davidwhodgins

Comment 8 claire robinson 2011-09-09 15:11:58 CEST 
Thanks for that Dave.

Tested OK x86_64 too.




The srpm is libxfont-1.4.3-1.1.mga1.src.rpm

Advisory:
This security update for libXfont fixes a bug in the LZW decompress
routine, as described in CVE-2011-2895.



Could somebody from sysadmin please push from core/updates_testing to core/updates.


Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 D Morgan 2011-09-09 15:35:26 CEST 
update pushed.

Status: NEW => RESOLVED
Resolution: (none) => FIXED