Download Red Hat Enterprise Linux 5 5.8 Technical Notes

Chapter 4. Package Updates
T he Red Hat Security Response T eam has rated this update as having important security impact. A
Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is
available from the CVE link associated with the description below.
T he libXfont packages provide the X.Org libXfont runtime library. X.Org is an open source implementation
of the X Window System.
Security Fix
CVE-2011-2895
A buffer overflow flaw was found in the way the libXfont library, used by the X.Org server,
handled malformed font files compressed using UNIX compress. A malicious, local user could
exploit this issue to potentially execute arbitrary code with the privileges of the X.Org server.
Users of libXfont should upgrade to these updated packages, which contain a backported patch to
resolve this issue. All running X.Org server instances must be restarted for the update to take effect.
4.98. libxml2
4.98.1. RHSA-2012:0017 — Important: libxml2 security update
Updated libxml2 packages that fix several security issues are now available for Red Hat Enterprise Linux
5.
T he Red Hat Security Response T eam has rated this update as having important security impact.
Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are
available for each vulnerability from the CVE links associated with each description below.
T he libxml2 library is a development toolbox providing the implementation of various XML standards. One
of those standards is the XML Path Language (XPath), which is a language for addressing parts of an
XML document.
Security Fixes
CVE-2011-3919
A heap-based buffer overflow flaw was found in the way libxml2 decoded entity references with
long names. A remote attacker could provide a specially-crafted XML file that, when opened in
an application linked against libxml2, would cause the application to crash or, potentially,
execute arbitrary code with the privileges of the user running the application.
CVE-2011-0216
An off-by-one error, leading to a heap-based buffer overflow, was found in the way libxml2
parsed certain XML files. A remote attacker could provide a specially-crafted XML file that, when
opened in an application linked against libxml2, would cause the application to crash or,
potentially, execute arbitrary code with the privileges of the user running the application.
CVE-2011-194 4
An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way libxml2
parsed certain XPath expressions. If an attacker were able to supply a specially-crafted XML file
to an application using libxml2, as well as an XPath expression for that application to run
against the crafted file, it could cause the application to crash or, possibly, execute arbitrary
181