FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

fontconfig -- insufficiently cache file validation

Affected packages
fontconfig < 1.12.1

Details

VuXML ID 44989c29-67d1-11e6-8b1d-c86000169601
Discovery 2016-08-05
Entry 2016-08-21

Debian security team reports:

Tobias Stoeckmann discovered that cache files are insufficiently validated in fontconfig, a generic font configuration library. An attacker can trigger arbitrary free() calls, which in turn allows double free attacks and therefore arbitrary code execution. In combination with setuid binaries using crafted cache files, this could allow privilege escalation.

References

CVE Name CVE-2016-5384
URL https://packetstormsecurity.com/files/138236/Debian-Security-Advisory-3644-1.html