LZW Decompression Vulnerability in X.Org libXfont and Multiple Operating Systems
CVE-2011-2895

Currently unrated

Key Information:

Vendor: OpenBSD
Status: OpenBSD; Freetype; Netbsd; Libxfont
Vendor: CVE Published:; 19 August 2011

Summary

The vulnerability in the LZW decompressor affects the BufCompressedFill function in X.Org libXfont and multiple BSD variants. It arises when code words that are not present in the decompression table are encountered. This malfunction can lead to an infinite loop or a heap-based buffer overflow, potentially allowing attackers to execute arbitrary code through crafted compressed data streams.

References

https://support.apple.com/HT205635

x_refsource_CONFIRM

http://www.redhat.com/support/errata/RHSA-2011-1154.html

vendor-advisoryx_refsource_REDHAT

http://www.ubuntu.com/usn/USN-1191-1

vendor-advisoryx_refsource_UBUNTU

EPSS Score

8% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Aug 19, 2011
Vulnerability Reserved
Jul 27, 2011