libxfont needs to be updated to 1.4.4 (security fix). We could either backport the new release (mainly the security fix + a memleak) or backport the fix: ---------- Forwarded message ---------- The major change in this release is a fix for: LZW decompress: fix for CVE-2011-2895 Specially crafted LZW stream can crash an application using libXfont that is used to open untrusted font files. With X server, this may allow privilege escalation when exploited More information about this security issue can be found in the advisory at: http://lists.freedesktop.org/archives/xorg-announce/2011-August/001721.html Alan Coopersmith (2): Sun's copyrights belong to Oracle now Fix memory leak in allocation failure path of BitmapOpenScalable() Gaetan Nadon (4): config: HTML file generation: use the installed copy of xorg.css config: remove AC_PROG_CC as it overrides AC_PROG_C_C99 config: comment, minor upgrade, quote and layout configure.ac doc: use common makefile for developers documentation Matthieu Herrb (1): libXfont 1.4.4 Paulo Zanoni (1): Use docbookx.dtd version 4.3 for all docs Thomas Hoger (1): LZW decompress: fix for CVE-2011-2895 git tag: libXfont-1.4.4 http://xorg.freedesktop.org/archive/individual/lib/libXfont-1.4.4.tar.bz2 MD5: f9942bc818d39094d7295b156a729393 SHA1: 189dd7a3756cb80bcf41b779bf05ec3c366e3041 SHA256: a2065f5f66882f7a9cb0eb674e16d284da48e449af443eda272e99832be8239a http://xorg.freedesktop.org/archive/individual/lib/libXfont-1.4.4.tar.gz MD5: 21312cee1347deaca18453f70c272ab0 SHA1: e5db2aaf6f35a28efdb0ef24e8839a5cd8f7d84d SHA256: c52a978748d12ba0bbf54e60542e8e2ae5b624821e02b78cd2dc30b2aa9bb804
what kind of tests QA can do to validate this update ?
CC: (none) => dmorganec
http://lists.freedesktop.org/archives/xorg-announce/2011-August/001721.html => http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d11ee5886e9d9ec610051a206b135a4cdc1e09a0 (the fix) => https://bugzilla.redhat.com/show_bug.cgi?id=725760 (redhat tracking bug) no test case provided but it has been assigned a CVE ID and has been pushed by other distros
Thierry, can you update libxfont ?
Assignee: bugsquad => security
Keywords: (none) => Junior_job
pushed in update_testing.
Assignee: security => qa-bugs
As there is no practical way to test the security fix, what steps can we take to check libXfont works as expected? Thanks
CC: (none) => eeeemail
libxfont appears to be used by Remmina, which works/displays correctly. TTY's also display correctly. Is this sufficient testing to be able to validate this update? If so then i586 checked OK.
(In reply to comment #6) > libxfont appears to be used by Remmina, which works/displays correctly. It's actually used by /usr/bin/Xorg, so you have to restart the X server after installing the update. Then any X application that displays text is adequate for the test. Testing complete on i586. Anyone tested on x86-64? The srpm is libxfont-1.4.3-1.1.mga1.src.rpm Advisory: This security update for libXfont fixes a bug the LZW decompress routine, as described in CVE-2011-2895.
CC: (none) => davidwhodgins
Thanks for that Dave. Tested OK x86_64 too. The srpm is libxfont-1.4.3-1.1.mga1.src.rpm Advisory: This security update for libXfont fixes a bug in the LZW decompress routine, as described in CVE-2011-2895. Could somebody from sysadmin please push from core/updates_testing to core/updates. Thankyou!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
update pushed.
Status: NEW => RESOLVEDResolution: (none) => FIXED