Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 28 Nov 2017 15:55:24 +0100
From: Matthieu Herrb <>
Subject: CVE-2017-16611 libXfont Open files with O_NOFOLLOW


X.Org has just release libXfont 1.5.4 and libXfont2 2.0.3 which
contain the following security fix:

Author:     Michal Srb <>
AuthorDate: Thu Oct 26 09:48:13 2017 +0200
Commit:     Matthieu Herrb <>
CommitDate: Sat Nov 25 11:46:50 2017 +0100

    Open files with O_NOFOLLOW. (CVE-2017-16611)

    A non-privileged X client can instruct X server running under root
    to open any file by creating own directory with "fonts.dir",
    "fonts.alias" or any font file being a symbolic link to any other
    file in the system. X server will then open it. This can be issue
    with special files such as /dev/watchdog.
Matthieu Herrb

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.