[3.1] fontconfig: Possible double free due to insufficiently validated cache files (CVE-2016-5384)
It was reported that offsets contained in cache files aren’t checked if
they’re in legal ranges or are pointers at all.
The lack of validation allows an attacker to trigger arbitrary free()
calls, which in turn allows double free attacks
and therefore arbitrary code execution. When used with setuid binaries
using crafted cachefiles, privilege escalation is possible.
Reference:
https://lists.freedesktop.org/archives/fontconfig/2016-August/005792.html
Patch:
https://cgit.freedesktop.org/fontconfig/commit/?id=7a4a5bd7897d216f0794ca9dbce0a4a5c9d14940
(from redmine: issue id 6027, created on 2016-08-10, closed on 2016-08-17)
- Relations:
- parent #6022 (closed)
- Changesets:
- Revision ed8947a7 on 2016-08-15T13:08:09Z:
main/fontconfig: security fix (CVE-2016-5384). Fixes #6027
(cherry picked from commit 99e120348e7b8d8f1146915eb4df9a17691514fe)
(cherry picked from commit bd9fbe8f86be75380348650dd9d7094e45b9af4e)