FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

fontconfig -- insufficiently cache file validation

Affected packages
fontconfig < 1.12.1


VuXML ID 44989c29-67d1-11e6-8b1d-c86000169601
Discovery 2016-08-05
Entry 2016-08-21

Debian security team reports:

Tobias Stoeckmann discovered that cache files are insufficiently validated in fontconfig, a generic font configuration library. An attacker can trigger arbitrary free() calls, which in turn allows double free attacks and therefore arbitrary code execution. In combination with setuid binaries using crafted cache files, this could allow privilege escalation.


CVE Name CVE-2016-5384