CVE-2011-2895

HIGH

Description

The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2) compress/compress.c in 4.3BSD, as used in zopen.c in OpenBSD before 3.8, FreeBSD, NetBSD 4.0.x and 5.0.x before 5.0.3 and 5.1.x before 5.1.1, FreeType 2.1.9, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows context-dependent attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2896.

References

http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d11ee5886e9d9ec610051a206b135a4cdc1e09a0

http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2011-007.txt.asc

http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html

http://lists.apple.com/archives/security-announce/2012/May/msg00001.html

http://lists.apple.com/archives/security-announce/2015/Dec/msg00000.html

http://lists.apple.com/archives/security-announce/2015/Dec/msg00001.html

http://lists.apple.com/archives/security-announce/2015/Dec/msg00002.html

http://lists.apple.com/archives/security-announce/2015/Dec/msg00005.html

http://lists.freedesktop.org/archives/xorg-announce/2011-August/001721.html

http://lists.freedesktop.org/archives/xorg-announce/2011-August/001722.html

http://lists.opensuse.org/opensuse-security-announce/2011-09/msg00019.html

http://lists.opensuse.org/opensuse-security-announce/2011-12/msg00004.html

http://secunia.com/advisories/45544

http://secunia.com/advisories/45568

http://secunia.com/advisories/45599

http://secunia.com/advisories/45986

http://secunia.com/advisories/46127

http://secunia.com/advisories/48951

http://securitytracker.com/id?1025920

http://support.apple.com/kb/HT5130

http://support.apple.com/kb/HT5281

http://www.debian.org/security/2011/dsa-2293

http://www.mandriva.com/security/advisories?name=MDVSA-2011:153

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/compress/zopen.c#rev1.17

http://www.openwall.com/lists/oss-security/2011/08/10/10

http://www.redhat.com/support/errata/RHSA-2011-1154.html

http://www.redhat.com/support/errata/RHSA-2011-1155.html

http://www.redhat.com/support/errata/RHSA-2011-1161.html

http://www.redhat.com/support/errata/RHSA-2011-1834.html

http://www.securityfocus.com/bid/49124

http://www.ubuntu.com/usn/USN-1191-1

https://bugzilla.redhat.com/show_bug.cgi?id=725760

https://bugzilla.redhat.com/show_bug.cgi?id=727624

https://exchange.xforce.ibmcloud.com/vulnerabilities/69141

https://support.apple.com/HT205635

https://support.apple.com/HT205637

https://support.apple.com/HT205640

https://support.apple.com/HT205641

Details

Source: MITRE

Published: 2011-08-19

Updated: 2017-08-29

Type: CWE-119

Risk Information

CVSS v2.0

Base Score: 9.3

Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Impact Score: 10

Exploitability Score: 8.6

Severity: HIGH