According to the versions of the libXfont package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :
The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2) compress/compress.c in 4.3BSD, as used in zopen.c in OpenBSD before 3.8, FreeBSD, NetBSD 4.0.x and 5.0.x before 5.0.3 and 5.1.x before 5.1.1, FreeType 2.1.9, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows context-dependent attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2896.(CVE-2011-2895)
In the pcfGetProperties function in bitmap/pcfread.c in libXfont through 1.5.2 and 2.x before 2.0.2, a missing boundary check (for PCF files) could be used by local attackers authenticated to an Xserver for a buffer over-read, for information disclosure or a crash of the X server.(CVE-2017-13722)
In the PatternMatch function in fontfile/fontdir.c in libXfont through 1.5.2 and 2.x before 2.0.2, an attacker with access to an X connection can cause a buffer over-read during pattern matching of fonts, leading to information disclosure or a crash (denial of service). This occurs because ‘\0’ characters are incorrectly skipped in situations involving ? characters.(CVE-2017-13720)
In libXfont before 1.5.4 and libXfont2 before 2.0.3, a local attacker can open (but not read) files on the system as root, triggering tape rewinds, watchdogs, or similar mechanisms that can be triggered by opening files.(CVE-2017-16611)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(131849);
script_version("1.8");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/05");
script_cve_id(
"CVE-2011-2895",
"CVE-2017-13720",
"CVE-2017-13722",
"CVE-2017-16611"
);
script_bugtraq_id(49124);
script_name(english:"EulerOS 2.0 SP2 : libXfont (EulerOS-SA-2019-2357)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the libXfont package installed, the
EulerOS installation on the remote host is affected by the following
vulnerabilities :
- The LZW decompressor in (1) the BufCompressedFill
function in fontfile/decompress.c in X.Org libXfont
before 1.4.4 and (2) compress/compress.c in 4.3BSD, as
used in zopen.c in OpenBSD before 3.8, FreeBSD, NetBSD
4.0.x and 5.0.x before 5.0.3 and 5.1.x before 5.1.1,
FreeType 2.1.9, and other products, does not properly
handle code words that are absent from the
decompression table when encountered, which allows
context-dependent attackers to trigger an infinite loop
or a heap-based buffer overflow, and possibly execute
arbitrary code, via a crafted compressed stream, a
related issue to CVE-2006-1168 and
CVE-2011-2896.(CVE-2011-2895)
- In the pcfGetProperties function in bitmap/pcfread.c in
libXfont through 1.5.2 and 2.x before 2.0.2, a missing
boundary check (for PCF files) could be used by local
attackers authenticated to an Xserver for a buffer
over-read, for information disclosure or a crash of the
X server.(CVE-2017-13722)
- In the PatternMatch function in fontfile/fontdir.c in
libXfont through 1.5.2 and 2.x before 2.0.2, an
attacker with access to an X connection can cause a
buffer over-read during pattern matching of fonts,
leading to information disclosure or a crash (denial of
service). This occurs because '\0' characters are
incorrectly skipped in situations involving ?
characters.(CVE-2017-13720)
- In libXfont before 1.5.4 and libXfont2 before 2.0.3, a
local attacker can open (but not read) files on the
system as root, triggering tape rewinds, watchdogs, or
similar mechanisms that can be triggered by opening
files.(CVE-2017-16611)
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2357
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4bd72a1c");
script_set_attribute(attribute:"solution", value:
"Update the affected libXfont packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2011-2895");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2017-13722");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"patch_publication_date", value:"2019/12/04");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/10");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libXfont");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
script_exclude_keys("Host/EulerOS/uvp_version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp);
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
flag = 0;
pkgs = ["libXfont-1.5.1-2.h2"];
foreach (pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libXfont");
}