[3.2] fontconfig: Possible double free due to insufficiently validated cache files (CVE-2016-5384)
It was reported that offsets contained in cache files aren’t checked if
they’re in legal ranges or are pointers at all.
The lack of validation allows an attacker to trigger arbitrary free()
calls, which in turn allows double free attacks
and therefore arbitrary code execution. When used with setuid binaries
using crafted cachefiles, privilege escalation is possible.
Reference:
https://lists.freedesktop.org/archives/fontconfig/2016-August/005792.html
Patch:
https://cgit.freedesktop.org/fontconfig/commit/?id=7a4a5bd7897d216f0794ca9dbce0a4a5c9d14940
(from redmine: issue id 6026, created on 2016-08-10, closed on 2016-08-17)
- Relations:
- parent #6022 (closed)
- Changesets:
- Revision bd9fbe8f on 2016-08-15T07:11:14Z:
main/fontconfig: security fix (CVE-2016-5384). Fixes #6026
(cherry picked from commit 99e120348e7b8d8f1146915eb4df9a17691514fe)