fontconfig before 2.12.1 does not validate offsets, which allows local users to trigger arbitrary free calls and consequently conduct double free attacks and execute arbitrary code via a crafted cache file.

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched.

  - fontconfig: Possible double free due to insufficiently validated cache files (CVE-2016-5384)

Note that Nessus has not tested for this issue but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched.

  - fontconfig: Possible double free due to insufficiently validated cache files (CVE-2016-5384)

Note that Nessus has not tested for this issue but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched.

  - fontconfig: Possible double free due to insufficiently validated cache files (CVE-2016-5384)

Note that Nessus has not tested for this issue but has instead relied on the package manager's report that the package is installed.

According to the version of the fontconfig packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - It was found that cache files were insufficiently     validated in fontconfig. A local attacker could create     a specially crafted cache file to trigger arbitrary     free() calls, which in turn could lead to arbitrary     code execution. (CVE-2016-5384)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security Fix(es) :

  - It was found that cache files were insufficiently     validated in fontconfig. A local attacker could create a     specially crafted cache file to trigger arbitrary free()     calls, which in turn could lead to arbitrary code     execution. (CVE-2016-5384)

Additional Changes :

An update for fontconfig is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Fontconfig is designed to locate fonts within the system and select them according to requirements specified by applications.

Security Fix(es) :

* It was found that cache files were insufficiently validated in fontconfig. A local attacker could create a specially crafted cache file to trigger arbitrary free() calls, which in turn could lead to arbitrary code execution. (CVE-2016-5384)

Red Hat would like to thank Tobias Stoeckmann for reporting this issue.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.

From Red Hat Security Advisory 2016:2601 :

An update for fontconfig is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Fontconfig is designed to locate fonts within the system and select them according to requirements specified by applications.

Security Fix(es) :

* It was found that cache files were insufficiently validated in fontconfig. A local attacker could create a specially crafted cache file to trigger arbitrary free() calls, which in turn could lead to arbitrary code execution. (CVE-2016-5384)

Red Hat would like to thank Tobias Stoeckmann for reporting this issue.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.

This update for fontconfig fixes the following issues :

  - security update :

  - CVE-2016-5384: Possible double free due to     insufficiently validated cache files [bsc#992534]

This update was imported from the SUSE:SLE-12:Update update project.

This update for fontconfig fixes the following issues :

  - security update :

  - CVE-2016-5384: Possible double free due to     insufficiently validated cache files [bsc#992534]

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Debian security team reports :

Tobias Stoeckmann discovered that cache files are insufficiently validated in fontconfig, a generic font configuration library. An attacker can trigger arbitrary free() calls, which in turn allows double free attacks and therefore arbitrary code execution. In combination with setuid binaries using crafted cache files, this could allow privilege escalation.

Tobias Stoeckmann discovered that Fontconfig incorrectly handled cache files. A local attacker could possibly use this issue with a specially crafted cache file to elevate privileges.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security fix for CVE-2016-5384

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A possible double free vulnerability was found in fontconfig. The problem was due to insufficient validation when parsing the cache file.

For Debian 7 'Wheezy', these problems have been fixed in version 2.9.0-7.1+deb7u1.

We recommend that you upgrade your fontconfig packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Tobias Stoeckmann discovered that cache files are insufficiently validated in fontconfig, a generic font configuration library. An attacker can trigger arbitrary free() calls, which in turn allows double free attacks and therefore arbitrary code execution. In combination with setuid binaries using crafted cache files, this could allow privilege escalation.

ID	Name	Product	Family	Severity
196308	RHEL 6 : fontconfig (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
196303	RHEL 7 : fontconfig (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
196279	RHEL 5 : fontconfig (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
99837	EulerOS 2.0 SP1 : fontconfig (EulerOS-SA-2016-1077)	Nessus	Huawei Local Security Checks	high
95838	Scientific Linux Security Update : fontconfig on SL7.x x86_64 (20161103)	Nessus	Scientific Linux Local Security Checks	high
95347	CentOS 7 : fontconfig (CESA-2016:2601)	Nessus	CentOS Local Security Checks	high
94720	Oracle Linux 7 : fontconfig (ELSA-2016-2601)	Nessus	Oracle Linux Local Security Checks	high
94564	RHEL 7 : fontconfig (RHSA-2016:2601)	Nessus	Red Hat Local Security Checks	high
93433	openSUSE Security Update : fontconfig (openSUSE-2016-1070)	Nessus	SuSE Local Security Checks	high
93312	SUSE SLED12 / SLES12 Security Update : fontconfig (SUSE-SU-2016:2190-1)	Nessus	SuSE Local Security Checks	high
93310	SUSE SLES11 Security Update : fontconfig (SUSE-SU-2016:2186-1)	Nessus	SuSE Local Security Checks	high
93061	FreeBSD : fontconfig -- insufficiently cache file validation (44989c29-67d1-11e6-8b1d-c86000169601)	Nessus	FreeBSD Local Security Checks	high
93025	Ubuntu 14.04 LTS / 16.04 LTS : Fontconfig vulnerability (USN-3063-1)	Nessus	Ubuntu Local Security Checks	high
93022	Fedora 23 : fontconfig (2016-6802f2e52a)	Nessus	Fedora Local Security Checks	high
92827	Debian DLA-587-1 : fontconfig security update	Nessus	Debian Local Security Checks	high
92811	Fedora 24 : fontconfig (2016-e23ab56ce3)	Nessus	Fedora Local Security Checks	high
92795	Debian DSA-3644-1 : fontconfig - security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2016-5384

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high