A low privileged user can create symlinks to trigger arbitrary file reads by X server. Under certain configurations, a user can create a symlink to special files (e.g. /dev/watchdog) to cause a denial of service. A non-privileged X client can instruct X server running under root to open any file by creating a directory with symlinks(s) named "fonts.dir", "fonts.alias" or any font file to link to any other file in the system. X server will follow the symlink and open and read the file. When opened and under certain configurations, special files like /dev/watchdog can trigger system operations (e.g. reboot). References: http://openwall.com/lists/oss-security/2017/11/28/7 https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?h=libXfont-1.5-branch&id=5ed8ac0e4f063825b8ecda48e9a111d3ce92e825 https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=7b377456f95d2ec3ead40f4fb74ea620191f88c8
Created libXfont tracking bugs for this issue: Affects: fedora-all [bug 1519084] Created libXfont2 tracking bugs for this issue: Affects: fedora-all [bug 1519083]