A huge number of security vulnerabilities have been fixed in Ubuntu, including a remotely exploitable font flaw that an attacker could use to run arbitrary code on vulnerable machines. A number of Linux kernel flaws also were patched in some versions of the operating system.
The font vulnerability affects five different versions of Ubuntu, including 10.04, 12.04, 12.10, 13.04 and 13.10. The patch, issued on Tuesday, fixes the vulnerability by updating users to new versions of the operating system.
“It was discovered that libXfont incorrectly handled certain malformed BDF fonts. An attacker could use a specially crafted font file to cause libXfont to crash, or possibly execute arbitrary code in order to gain privileges. The default compiler options for affected releases should reduce the vulnerability to a denial of service,” the Ubuntu advisory says.
Along with the font vulnerability, there were a slew of Linux kernel bugs fixed in a couple of different versions of Ubuntu, as well. In Ubuntu 10.04 LTS, four separate locally exploitable kernel flaws were patched, and in Ubuntu 12.04, 10 different vulnerabilities were fixed. Two of those bugs are remotely exploitable, including a buffer overflow in the kernel.
“Evan Huus reported a buffer overflow in the Linux kernel’s radiotap header parsing. A remote attacker could cause a denial of service (buffer over-read) via a specially crafted header,” the advisory says.
The other remotely exploitable vulnerability is in the kernel’s dm snapshot facility and could be used by an attacker to get or corrupt sensitive data.
Image from Flickr photos of Andrew Mason.