Bug 1519082 (CVE-2017-16611)

Summary: CVE-2017-16611 libXfont: User can trigger arbitrary file read by X server causing a DoS
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ajax, alexl, btissoir, caillon+fedoraproject, fonts-bugs, jglisse, john.j5live, rhughes, rstrode, sandmann
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libXfont 1.5.4, libXfont2 2.0.3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-01 04:30:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1519083, 1519084    
Bug Blocks: 1519085    

Description Sam Fowler 2017-11-30 05:42:54 UTC 
A low privileged user can create symlinks to trigger arbitrary file reads by X server. Under certain configurations, a user can create a symlink to special files (e.g. /dev/watchdog) to cause a denial of service.

A non-privileged X client can instruct X server running under root to open any file by creating a directory with symlinks(s) named "fonts.dir", "fonts.alias" or any font file to link to any other file in the system. X server will follow the symlink and open and read the file. When opened and under certain configurations, special files like /dev/watchdog can trigger system operations (e.g. reboot).

References:
http://openwall.com/lists/oss-security/2017/11/28/7
https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?h=libXfont-1.5-branch&id=5ed8ac0e4f063825b8ecda48e9a111d3ce92e825
https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=7b377456f95d2ec3ead40f4fb74ea620191f88c8
Comment 1 Sam Fowler 2017-11-30 05:43:16 UTC 
Created libXfont tracking bugs for this issue:

Affects: fedora-all [bug 1519084]


Created libXfont2 tracking bugs for this issue:

Affects: fedora-all [bug 1519083]