Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Slackware-13.1 ChangeLog (2017-11-29) ====== ====== Wed Nov 29 08:15:09 UTC 2017 ====== ===== Packages ===== ==== Upgraded ==== * [[slackware.13.1>patches/packages/libXcursor-1.1.15-i486-1_slack13.1.txz]] \\ Fix heap overflows when parsing malicious files. (CVE-2017-16612) \\ It is possible to trigger heap overflows due to an integer overflow \\ while parsing images and a signedness issue while parsing comments. \\ The integer overflow occurs because the chosen limit 0x10000 for \\ dimensions is too large for 32 bit systems, because each pixel takes \\ 4 bytes. Properly chosen values allow an overflow which in turn will \\ lead to less allocated memory than needed for subsequent reads. \\ The signedness bug is triggered by reading the length of a comment \\ as unsigned int, but casting it to int when calling the function \\ XcursorCommentCreate. Turning length into a negative value allows the \\ check against XCURSOR_COMMENT_MAX_LEN to pass, and the following \\ addition of sizeof (XcursorComment) + 1 makes it possible to allocate \\ less memory than needed for subsequent reads. \\ For more information, see: \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16612 \\ (* Security fix *) ==== Rebuilt ==== * [[slackware.13.1>patches/packages/libXfont-1.4.7-i486-2_slack13.1.txz]] \\ Open files with O_NOFOLLOW. (CVE-2017-16611) \\ A non-privileged X client can instruct X server running under root \\ to open any file by creating own directory with "fonts.dir", \\ "fonts.alias" or any font file being a symbolic link to any other \\ file in the system. X server will then open it. This can be issue \\ with special files such as /dev/watchdog (which could then reboot \\ the system). \\ For more information, see: \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16611 \\ (* Security fix *) {{tag>slackware changelog slackware-13.1 2017-11}} news/2017/11/29/slackware-13.1-changelog.txt Last modified: 3 years agoby Giuseppe Di Terlizzi Log In