FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

libXfont -- multiple memory leaks

Affected packages
libXfont < 1.5.3
libXfont2 < 2.0.2


VuXML ID 3b9590a1-e358-11e7-a293-54e1ad3d6335
Discovery 2017-10-04
Entry 2017-12-17

The project reports:

If a pattern contains '?' character, any character in the string is skipped, even if it is '\0'. The rest of the matching then reads invalid memory.

Without the checks a malformed PCF file can cause the library to make atom from random heap memory that was behind the `strings` buffer. This may crash the process or leak information.


CVE Name CVE-2017-13720
CVE Name CVE-2017-13722