Vulnerability Details : CVE-2011-2895
The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2) compress/compress.c in 4.3BSD, as used in zopen.c in OpenBSD before 3.8, FreeBSD, NetBSD 4.0.x and 5.0.x before 5.0.3 and 5.1.x before 5.1.1, FreeType 2.1.9, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows context-dependent attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2896.
Vulnerability category: OverflowExecute code
Threat overview for CVE-2011-2895
Top countries where our scanners detected CVE-2011-2895
Top open port discovered on systems with this issue
22
IPs affected by CVE-2011-2895 16,530
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2011-2895!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2011-2895
Probability of exploitation activity in the next 30 days: 1.34%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 86 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2011-2895
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST |
CWE ids for CVE-2011-2895
-
The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2011-2895
-
http://www.redhat.com/support/errata/RHSA-2011-1154.html
SupportVendor Advisory
-
https://support.apple.com/HT205641
About the security content of watchOS 2.1 - Apple Support
-
http://www.redhat.com/support/errata/RHSA-2011-1834.html
Support
-
http://www.debian.org/security/2011/dsa-2293
Debian -- Security Information -- DSA-2293-1 libxfont
-
http://lists.freedesktop.org/archives/xorg-announce/2011-August/001722.html
[ANNOUNCE] libXfont 1.4.4Patch
-
http://lists.apple.com/archives/security-announce/2012/May/msg00001.html
Apple - Lists.apple.com
-
http://support.apple.com/kb/HT5281
About the security content of OS X Lion v10.7.4 and Security Update 2012-002 - Apple Support
-
https://support.apple.com/HT205635
About the security content of iOS 9.2 - Apple Support
-
http://www.securityfocus.com/bid/49124
X.Org libXfont LZW Decompression 'BufCompressedFill()' Local Privilege Escalation Vulnerability
-
http://www.ubuntu.com/usn/USN-1191-1
USN-1191-1: libXfont vulnerability | Ubuntu security notices
-
http://www.redhat.com/support/errata/RHSA-2011-1161.html
SupportVendor Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/69141
X.Org libXfont LZW buffer overflow CVE-2011-2895 Vulnerability Report
-
http://lists.opensuse.org/opensuse-security-announce/2011-12/msg00004.html
[security-announce] openSUSE-SU-2011:1299-1: important: xorg-x11-libs
-
https://support.apple.com/HT205640
About the security content of tvOS 9.1 - Apple Support
-
http://lists.apple.com/archives/security-announce/2015/Dec/msg00002.html
Apple - Lists.apple.com
-
http://lists.apple.com/archives/security-announce/2015/Dec/msg00001.html
Apple - Lists.apple.com
-
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/compress/zopen.c#rev1.17
CVS log for src/usr.bin/compress/zopen.c
-
https://bugzilla.redhat.com/show_bug.cgi?id=727624
727624 – (CVE-2011-2895) CVE-2011-2895 BSD compress LZW decoder buffer overflow
-
http://lists.apple.com/archives/security-announce/2015/Dec/msg00005.html
Apple - Lists.apple.com
-
http://securitytracker.com/id?1025920
libXfont Heap Overflow in LZW Decompresser Lets Remote Users Execute Arbitrary Code - SecurityTracker
-
http://www.mandriva.com/security/advisories?name=MDVSA-2011:153
mandriva.com
-
https://bugzilla.redhat.com/show_bug.cgi?id=725760
725760 – CVE-2011-2895 libXfont: LZW decompression heap corruption / infinite loopPatch
-
http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2011-007.txt.asc
-
http://lists.freedesktop.org/archives/xorg-announce/2011-August/001721.html
X.Org security advisory: libXfont LZW decompression heap corruptionPatch
-
https://support.apple.com/HT205637
About the security content of OS X El Capitan 10.11.2, Security Update 2015-005 Yosemite, and Security Update 2015-008 Mavericks - Apple Support
-
http://www.redhat.com/support/errata/RHSA-2011-1155.html
SupportVendor Advisory
-
http://support.apple.com/kb/HT5130
About the security content of OS X Lion v10.7.3 and Security Update 2012-001 - Apple Support
-
http://lists.opensuse.org/opensuse-security-announce/2011-09/msg00019.html
[security-announce] SUSE-SU-2011:1035-1: important: Security update for
-
http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d11ee5886e9d9ec610051a206b135a4cdc1e09a0
xorg/lib/libXfont - X font handling library for server & utilities (mirrored from https://gitlab.freedesktop.org/xorg/lib/libxfont)Patch
-
http://www.openwall.com/lists/oss-security/2011/08/10/10
oss-security - LZW decompression issues
-
http://lists.apple.com/archives/security-announce/2015/Dec/msg00000.html
Apple - Lists.apple.com
-
http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
Apple - Lists.apple.com
Products affected by CVE-2011-2895
- cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*
- cpe:2.3:o:netbsd:netbsd:*:*:*:*:*:*:*:*
- cpe:2.3:o:openbsd:openbsd:*:*:*:*:*:*:*:*
- cpe:2.3:o:openbsd:openbsd:2.3:*:*:*:*:*:*:*
- cpe:2.3:o:openbsd:openbsd:2.4:*:*:*:*:*:*:*
- cpe:2.3:o:openbsd:openbsd:2.2:*:*:*:*:*:*:*
- cpe:2.3:o:openbsd:openbsd:2.1:*:*:*:*:*:*:*
- cpe:2.3:o:openbsd:openbsd:2.0:*:*:*:*:*:*:*
- cpe:2.3:o:openbsd:openbsd:2.5:*:*:*:*:*:*:*
- cpe:2.3:o:openbsd:openbsd:2.6:*:*:*:*:*:*:*
- cpe:2.3:o:openbsd:openbsd:2.7:*:*:*:*:*:*:*
- cpe:2.3:o:openbsd:openbsd:2.8:*:*:*:*:*:*:*
- cpe:2.3:o:openbsd:openbsd:2.9:*:*:*:*:*:*:*
- cpe:2.3:o:openbsd:openbsd:3.0:*:*:*:*:*:*:*
- cpe:2.3:o:openbsd:openbsd:3.1:*:*:*:*:*:*:*
- cpe:2.3:o:openbsd:openbsd:3.2:*:*:*:*:*:*:*
- cpe:2.3:o:openbsd:openbsd:3.3:*:*:*:*:*:*:*
- cpe:2.3:o:openbsd:openbsd:3.4:*:*:*:*:*:*:*
- cpe:2.3:o:openbsd:openbsd:3.5:*:*:*:*:*:*:*
- cpe:2.3:o:openbsd:openbsd:3.6:*:*:*:*:*:*:*
- cpe:2.3:a:freetype:freetype:2.1.9:*:*:*:*:*:*:*
- cpe:2.3:a:x:libxfont:*:*:*:*:*:*:*:*
- cpe:2.3:a:x:libxfont:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:x:libxfont:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:x:libxfont:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:x:libxfont:1.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:x:libxfont:1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:x:libxfont:1.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:x:libxfont:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:x:libxfont:1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:x:libxfont:1.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:x:libxfont:1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:x:libxfont:1.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:x:libxfont:1.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:x:libxfont:1.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:x:libxfont:1.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:x:libxfont:1.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:x:libxfont:1.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:x:libxfont:1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:x:libxfont:1.4.1:*:*:*:*:*:*:*