Vulnerability Details : CVE-2017-16611
In libXfont before 1.5.4 and libXfont2 before 2.0.3, a local attacker can open (but not read) files on the system as root, triggering tape rewinds, watchdogs, or similar mechanisms that can be triggered by opening files.
Products affected by CVE-2017-16611
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:17.04:*:*:*:*:*:*:*
- cpe:2.3:a:x:libxfont:*:*:*:*:*:*:*:*
- cpe:2.3:a:x:libxfont:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-16611
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-16611
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.9
|
MEDIUM | AV:L/AC:L/Au:N/C:N/I:N/A:C |
3.9
|
6.9
|
NIST | |
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2017-16611
-
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-16611
-
https://marc.info/?l=freedesktop-xorg-announce&m=151188044218304&w=2
'[ANNOUNCE] libXfont2 2.0.3' - MARCPatch;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2022/01/msg00028.html
[SECURITY] [DLA 2901-1] libxfont security updateIssue Tracking;Mailing List;Third Party Advisory
-
https://bugzilla.suse.com/show_bug.cgi?id=1050459
Bug 1050459 – VUL-1: CVE-2017-16611: libXfont,xorg-x11-libs:: User can trigger reads on special files as root allowing for DoSIssue Tracking;Tool Signature;VDB Entry
-
http://www.openwall.com/lists/oss-security/2017/11/28/7
oss-security - CVE-2017-16611 libXfont Open files with O_NOFOLLOWMailing List;Patch;Third Party Advisory
-
http://security.cucumberlinux.com/security/details.php?id=155
CLD-155 DetailsThird Party Advisory
-
http://www.ubuntu.com/usn/USN-3500-1
USN-3500-1: libXfont vulnerability | Ubuntu security noticesThird Party Advisory
-
https://security.gentoo.org/glsa/201801-10
LibXfont, LibXfont2: Arbitrary file access (GLSA 201801-10) — Gentoo securityThird Party Advisory
-
https://marc.info/?l=freedesktop-xorg-announce&m=151188049718337&w=2
'[ANNOUNCE] libXfont 1.5.4' - MARCPatch;Third Party Advisory
Jump to