This is an old revision of the document!
Slackware-13.1 ChangeLog (2017-11-29)
Wed Nov 29 08:15:09 UTC 2017
Packages
Upgraded
- patches/packages/libXcursor-1.1.15-i486-1_slack13.1.txz
Fix heap overflows when parsing malicious files. (CVE-2017-16612)
It is possible to trigger heap overflows due to an integer overflow
while parsing images and a signedness issue while parsing comments.
The integer overflow occurs because the chosen limit 0x10000 for
dimensions is too large for 32 bit systems, because each pixel takes
4 bytes. Properly chosen values allow an overflow which in turn will
lead to less allocated memory than needed for subsequent reads.
The signedness bug is triggered by reading the length of a comment
as unsigned int, but casting it to int when calling the function
XcursorCommentCreate. Turning length into a negative value allows the
check against XCURSOR_COMMENT_MAX_LEN to pass, and the following
addition of sizeof (XcursorComment) + 1 makes it possible to allocate
less memory than needed for subsequent reads.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16612
(* Security fix *)
Rebuilt
- patches/packages/libXfont-1.4.7-i486-2_slack13.1.txz
Open files with O_NOFOLLOW. (CVE-2017-16611)
A non-privileged X client can instruct X server running under root
to open any file by creating own directory with “fonts.dir”,
“fonts.alias” or any font file being a symbolic link to any other
file in the system. X server will then open it. This can be issue
with special files such as /dev/watchdog (which could then reboot
the system).
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16611
(* Security fix *)