CVE-2017-16611 — libxfont - security update

Description

In libXfont before 1.5.4 and libXfont2 before 2.0.3, a local attacker can open (but not read) files on the system as root, triggering tape rewinds, watchdogs, or similar mechanisms that can be triggered by opening files.

How to fix CVE-2017-16611

To remediate CVE-2017-16611, upgrade the affected package to a fixed version below.

Alpine/libxfont—upgrade to 1.5.4-r0 or later
—upgrade to 2.0.3-r0 or later
—upgrade to 1:2.0.3-1 or later
—upgrade to 1:2.0.1-3+deb9u2 or later

Is CVE-2017-16611 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 1.5.4-r0
from 0, < 2.0.3-r0
from 0, < 1:2.0.3-1
from 0, < 1:2.0.1-3+deb9u2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References (2)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2017-16611
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2017-16611