[3.5] fontconfig: Possible double free due to insufficiently validated cache files (CVE-2016-5384)
It was reported that offsets contained in cache files aren’t checked if
they’re in legal ranges or are pointers at all.
The lack of validation allows an attacker to trigger arbitrary free()
calls, which in turn allows double free attacks
and therefore arbitrary code execution. When used with setuid binaries
using crafted cachefiles, privilege escalation is possible.
Reference:
https://lists.freedesktop.org/archives/fontconfig/2016-August/005792.html
Patch:
https://cgit.freedesktop.org/fontconfig/commit/?id=7a4a5bd7897d216f0794ca9dbce0a4a5c9d14940
(from redmine: issue id 6023, created on 2016-08-10, closed on 2016-08-17)
- Relations:
- parent #6022 (closed)
- Changesets:
- Revision 39328bea by Natanael Copa on 2016-08-10T11:52:06Z:
main/fontconfig: security upgrade to 2.12.1 (CVE-2016-5384)
fixes #6023