CVE-2011-2895
published 2011-08-19CVE-2011-2895: The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2) compress/compress.c in 4.3BSD, as…
PriorityP349critical9.3CVSS 2.0
AVNACMAuNCCICAC
EPSS
8.36%
94.3th percentile
The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2) compress/compress.c in 4.3BSD, as used in zopen.c in OpenBSD before 3.8, FreeBSD, NetBSD 4.0.x and 5.0.x before 5.0.3 and 5.1.x before 5.1.1, FreeType 2.1.9, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows context-dependent attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2896.
Affected
60 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | cups | <= 1.4.6 | — |
| apple | cups | >= 0 < 1.5.0-8 | 1.5.0-8 |
| apple | cups | >= 0 < 1.5.0-8 | 1.5.0-8 |
| apple | cups | >= 0 < 1.5.0-8 | 1.5.0-8 |
| apple | cups | >= 0 < 1.5.0-8 | 1.5.0-8 |
| apple | ios | — | — |
| apple | os_x_el_capitan_10.11.2_security_update_2015-005_yosemite_and_security_update_20 | — | — |
| apple | tvos | — | — |
| apple | watchos | — | — |
| debian | cups | < cups 1.5.0-8 (bookworm) | cups 1.5.0-8 (bookworm) |
| debian | gimp | < cups 1.5.0-8 (bookworm) | cups 1.5.0-8 (bookworm) |
| debian | libxfont | < libxfont 1:1.4.4-1 (bookworm) | libxfont 1:1.4.4-1 (bookworm) |
| freetype | freetype | — | — |
| gimp | gimp | <= 2.6.11 | — |
| gimp | gimp | >= 0 < 2.6.11-5 | 2.6.11-5 |
| gimp | gimp | >= 0 < 2.6.11-5 | 2.6.11-5 |
| gimp | gimp | >= 0 < 2.6.11-5 | 2.6.11-5 |
| gimp | gimp | >= 0 < 2.6.11-5 | 2.6.11-5 |
| openbsd | openbsd | <= 3.7 | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
BSD
FreeBSD-SA-11:04.compress: Errors handling corrupt compress file in compress(1)
and gzip(1)
bsd_advisories·2011-09-28·CVSS 9.3
CVE-2011-2895 [CRITICAL] FreeBSD-SA-11:04.compress: Errors handling corrupt compress file in compress(1)
and gzip(1)
FreeBSD-SA-11:04.compress Security Advisory
The FreeBSD Project
Topic: Errors handling corrupt compress file in compress(1)
and gzip(1)
Category: core
Module: compress
Announced: 2011-09-28
Credits: Tomas Hoger, Joerg Sonnenberger
Affects: All supported versions of FreeBSD.
Corrected: 2011-09-28 08:47:17 UTC (RELENG_7, 7.4-STABLE)
2011-09-28 08:47:17 UTC (RELENG_7_4, 7.4-RELEASE-p3)
2011-09-28 08:47:17 UTC (RELENG_7_3, 7.3-RELEASE-p7)
2011-09-28 08:47:17 UTC (RELENG_8, 8.2-STABLE)
2011-09-28 08:47:17 UTC (RELENG_8_2, 8.2-RELEASE-p3)
2011-09-28 08:47:17 UTC (RELENG_8_1, 8.1-RELEASE-p5)
2011-09-28 08:47:17 UTC (RELENG_9, 9.0-RC1)
CVE Name: CVE-2011-2895
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
fol
Ubuntu
libXfont vulnerability
vendor_ubuntu·2011-08-15
CVE-2011-2895 libXfont vulnerability
Title: libXfont vulnerability
Summary: libXfont could be made to run programs as an administrator if it opened a
specially crafted file.
Tomas Hoger discovered that libXfont incorrectly handled certain malformed
compressed fonts. An attacker could use a specially crafted font file to
cause libXfont to crash, or possibly execute arbitrary code in order to
gain privileges.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Red Hat
David Koblas' GIF decoder LZW decoder buffer overflow
vendor_redhat·2011-08-10·CVSS 7.5
CVE-2011-2896 [HIGH] David Koblas' GIF decoder LZW decoder buffer overflow
David Koblas' GIF decoder LZW decoder buffer overflow
The LZW decompressor in the LWZReadByte function in giftoppm.c in the David Koblas GIF decoder in PBMPLUS, as used in the gif_read_lzw function in filter/image-gif.c in CUPS before 1.4.7, the LZWReadByte function in plug-ins/common/file-gif-load.c in GIMP 2.6.11 and earlier, the LZWReadByte function in img/gifread.c in XPCE in SWI-Prolog 5.10.4 and earlier, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows remote attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2895.
Statement: Vulnerable. This issue affects the versio
Red Hat
BSD compress LZW decoder buffer overflow
vendor_redhat·2011-08-10·CVSS 7.5
CVE-2011-2895 [HIGH] BSD compress LZW decoder buffer overflow
BSD compress LZW decoder buffer overflow
The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2) compress/compress.c in 4.3BSD, as used in zopen.c in OpenBSD before 3.8, FreeBSD, NetBSD 4.0.x and 5.0.x before 5.0.3 and 5.1.x before 5.1.1, FreeType 2.1.9, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows context-dependent attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2896.
Package: busybox (Red Hat Enterprise Linux 4) - Not affected
Package: gzip (Red Hat Enterprise Linux 4) - Not affected
Package: mai
Debian
CVE-2011-2895: libxfont - The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompres...
vendor_debian·2011·CVSS 7.5
CVE-2011-2895 [HIGH] CVE-2011-2895: libxfont - The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompres...
The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2) compress/compress.c in 4.3BSD, as used in zopen.c in OpenBSD before 3.8, FreeBSD, NetBSD 4.0.x and 5.0.x before 5.0.3 and 5.1.x before 5.1.1, FreeType 2.1.9, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows context-dependent attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2896.
Scope: local
bookworm: resolved (fixed in 1:1.4.4-1)
bullseye: resolved (fixed in 1:1.4.4-1)
forky: resolved (fixed in 1:1.4.4-1)
sid: resolved (fixed in 1:1.4.4-1)
trixie: res
Debian
CVE-2011-2896: cups - The LZW decompressor in the LWZReadByte function in giftoppm.c in the David Kobl...
vendor_debian·2011·CVSS 7.5
CVE-2011-2896 [HIGH] CVE-2011-2896: cups - The LZW decompressor in the LWZReadByte function in giftoppm.c in the David Kobl...
The LZW decompressor in the LWZReadByte function in giftoppm.c in the David Koblas GIF decoder in PBMPLUS, as used in the gif_read_lzw function in filter/image-gif.c in CUPS before 1.4.7, the LZWReadByte function in plug-ins/common/file-gif-load.c in GIMP 2.6.11 and earlier, the LZWReadByte function in img/gifread.c in XPCE in SWI-Prolog 5.10.4 and earlier, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows remote attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2895.
Scope: local
bookworm: resolved (fixed in 1.5.0-8)
bullseye: resolved (fixed in 1.5.0-8)
forky: resolved (fi
Apple
CVE-2011-2895: tvOS 9.1
vendor_apple·CVSS 9.3
CVE-2011-2895 [CRITICAL] CVE-2011-2895: tvOS 9.1
Apple Security Update: About the security content of tvOS 9.1
Product: tvOS
Version: 9.1
CVE: CVE-2011-2895
Component: CVE-ID
Impact: Processing a maliciously crafted package may lead to arbitrary code execution
Description: Multiple buffer overflows existed in the C standard library. These issues were addressed through improved bounds checking.
Apple
CVE-2011-2895: watchOS 2.1
vendor_apple·CVSS 9.3
CVE-2011-2895 [CRITICAL] CVE-2011-2895: watchOS 2.1
Apple Security Update: About the security content of watchOS 2.1
Product: watchOS
Version: 2.1
CVE: CVE-2011-2895
Component: CVE-ID
Impact: Processing a maliciously crafted package may lead to arbitrary code execution
Description: Multiple buffer overflows existed in the C standard library. These issues were addressed through improved bounds checking.
Apple
CVE-2011-2895: OS X El Capitan 10.11.2, Security Update 2015-005 Yosemite, and Security Update 2015-008 Mavericks
vendor_apple·CVSS 9.3
CVE-2011-2895 [CRITICAL] CVE-2011-2895: OS X El Capitan 10.11.2, Security Update 2015-005 Yosemite, and Security Update 2015-008 Mavericks
Apple Security Update: About the security content of OS X El Capitan 10.11.2, Security Update 2015-005 Yosemite, and Security Update 2015-008 Mavericks
Product: OS X El Capitan 10.11.2, Security Update 2015-005 Yosemite, and Security Update 2015-008 Mavericks
CVE: CVE-2011-2895
Component: CVE-ID
Impact: Processing a maliciously crafted package may lead to arbitrary code execution
Description: Multiple buffer overflows existed in the C standard library. These issues were addressed through improved bounds checking.
Apple
CVE-2011-2895: iOS 9.2
vendor_apple·CVSS 9.3
CVE-2011-2895 [CRITICAL] CVE-2011-2895: iOS 9.2
Apple Security Update: About the security content of iOS 9.2
Product: iOS
Version: 9.2
CVE: CVE-2011-2895
Component: CVE-ID
Impact: Processing a maliciously crafted package may lead to arbitrary code execution
Description: Multiple buffer overflows existed in the C standard library. These issues were addressed through improved bounds checking.
GHSA
GHSA-8hvp-h85w-jwq9: The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2011-2895 [HIGH] CWE-119 GHSA-8hvp-h85w-jwq9: The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress
The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2) compress/compress.c in 4.3BSD, as used in zopen.c in OpenBSD before 3.8, FreeBSD, NetBSD 4.0.x and 5.0.x before 5.0.3 and 5.1.x before 5.1.1, FreeType 2.1.9, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows context-dependent attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2896.
GHSA
GHSA-46mw-xwc9-f8hc: The LZW decompressor in the LWZReadByte function in giftoppm
ghsa_unreviewed·2022-05-13·CVSS 7.5
CVE-2011-2896 [HIGH] CWE-787 GHSA-46mw-xwc9-f8hc: The LZW decompressor in the LWZReadByte function in giftoppm
The LZW decompressor in the LWZReadByte function in giftoppm.c in the David Koblas GIF decoder in PBMPLUS, as used in the gif_read_lzw function in filter/image-gif.c in CUPS before 1.4.7, the LZWReadByte function in plug-ins/common/file-gif-load.c in GIMP 2.6.11 and earlier, the LZWReadByte function in img/gifread.c in XPCE in SWI-Prolog 5.10.4 and earlier, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows remote attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2895.
OSV
CVE-2011-2896: The LZW decompressor in the LWZReadByte function in giftoppm
osv·2011-08-19·CVSS 7.5
CVE-2011-2896 [HIGH] CVE-2011-2896: The LZW decompressor in the LWZReadByte function in giftoppm
The LZW decompressor in the LWZReadByte function in giftoppm.c in the David Koblas GIF decoder in PBMPLUS, as used in the gif_read_lzw function in filter/image-gif.c in CUPS before 1.4.7, the LZWReadByte function in plug-ins/common/file-gif-load.c in GIMP 2.6.11 and earlier, the LZWReadByte function in img/gifread.c in XPCE in SWI-Prolog 5.10.4 and earlier, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows remote attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2895.
OSV
CVE-2011-2895: The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress
osv·2011-08-19·CVSS 7.5
CVE-2011-2895 [HIGH] CVE-2011-2895: The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress
The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2) compress/compress.c in 4.3BSD, as used in zopen.c in OpenBSD before 3.8, FreeBSD, NetBSD 4.0.x and 5.0.x before 5.0.3 and 5.1.x before 5.1.1, FreeType 2.1.9, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows context-dependent attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2896.
No detection rules found.
No public exploits indexed.
arXiv
Automated Reasoning for Vulnerability Management by Design
arxiv_fulltext·2025-07-08
Automated Reasoning for Vulnerability Management by Design
Automated Reasoning for Vulnerability Management by Design
Automated Reasoning for Vulnerability Management by Design
Avi Shaked1 0000-0001-7976-1942
Nan Messe2 0000-0002-3766-0710
Shaked et al.
Department of Computer Science, University of Oxford, Oxford, OX1 3QD, UK
[email protected]
IRIT, CNRS, UT2, France
[email protected]
## Abstract
For securing systems, it is essential to manage their vulnerability posture and design appropriate security controls. Vulnerability management allows to proactively address vulnerabilities by incorporating pertinent security controls into systems' designs. Current vulnerability management approaches do not support systematic reasoning about the vulnerability postures of systems' designs. To effectively manage vulnerabilities and design secur
Bugzilla
CVE-2011-2895 libXfont: LZW decompression heap corruption / infinite loop [fedora-all]
bugzilla·2011-08-11·CVSS 9.3
CVE-2011-2895 [CRITICAL] CVE-2011-2895 libXfont: LZW decompression heap corruption / infinite loop [fedora-all]
CVE-2011-2895 libXfont: LZW decompression heap corruption / infinite loop [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=725760
Please note: this issue affe
Bugzilla
CVE-2011-2896 David Koblas' GIF decoder LZW decoder buffer overflow
bugzilla·2011-08-03·CVSS 9.3
CVE-2011-2896 [CRITICAL] CVE-2011-2896 David Koblas' GIF decoder LZW decoder buffer overflow
CVE-2011-2896 David Koblas' GIF decoder LZW decoder buffer overflow
GIF image file format readers in various open source projects are based on the GIF decoder implementation written by David Koblas. This implementation contains a bug in the LZW decompressor, causing it to in correctly handle compressed streams that contain code words that were not yet added to the decompression table. LZW decompression has a special case (a KwKwK string) when code word may match the first free entry in the decompression table. The implementation used in this GIF reading code allows code words not only matching, but also exceeding the first free entry.
This problem is identical to a bug found in BSD compress (CVE-2011-2895, bug #727624), but given the unclear relationship between BSD compress and GIF deco
Bugzilla
CVE-2011-2895 BSD compress LZW decoder buffer overflow
bugzilla·2011-08-02·CVSS 9.3
CVE-2011-2895 [CRITICAL] CVE-2011-2895 BSD compress LZW decoder buffer overflow
CVE-2011-2895 BSD compress LZW decoder buffer overflow
BSD compress implemented an LZW compressor and decompressor. This decompressor implementation did not correctly handle compressed streams that contain code words that were not yet added to the decompression table. LZW decompression has a special case (a KwKwK string) when code word may match the first free entry in the decompression table. The implementation used in BSD compress allow code words not only matching, but also exceeding the first free entry.
It seems this compress implementation first appeared in BSD around 1985, and was later used in various other code base, such as ncompress and gzip. Other components that contain affected code will be listed below. Following page list the version of the code as was used in 4.3BSD:
ht
http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d11ee5886e9d9ec610051a206b135a4cdc1e09a0http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2011-007.txt.aschttp://lists.apple.com/archives/security-announce/2012/Feb/msg00000.htmlhttp://lists.apple.com/archives/security-announce/2012/May/msg00001.htmlhttp://lists.apple.com/archives/security-announce/2015/Dec/msg00000.htmlhttp://lists.apple.com/archives/security-announce/2015/Dec/msg00001.htmlhttp://lists.apple.com/archives/security-announce/2015/Dec/msg00002.htmlhttp://lists.apple.com/archives/security-announce/2015/Dec/msg00005.htmlhttp://lists.freedesktop.org/archives/xorg-announce/2011-August/001721.htmlhttp://lists.freedesktop.org/archives/xorg-announce/2011-August/001722.htmlhttp://lists.opensuse.org/opensuse-security-announce/2011-09/msg00019.htmlhttp://lists.opensuse.org/opensuse-security-announce/2011-12/msg00004.htmlhttp://secunia.com/advisories/45544http://secunia.com/advisories/45568http://secunia.com/advisories/45599http://secunia.com/advisories/45986http://secunia.com/advisories/46127http://secunia.com/advisories/48951http://securitytracker.com/id?1025920http://support.apple.com/kb/HT5130http://support.apple.com/kb/HT5281http://www.debian.org/security/2011/dsa-2293http://www.mandriva.com/security/advisories?name=MDVSA-2011:153http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/compress/zopen.c#rev1.17http://www.openwall.com/lists/oss-security/2011/08/10/10http://www.redhat.com/support/errata/RHSA-2011-1154.htmlhttp://www.redhat.com/support/errata/RHSA-2011-1155.htmlhttp://www.redhat.com/support/errata/RHSA-2011-1161.htmlhttp://www.redhat.com/support/errata/RHSA-2011-1834.htmlhttp://www.securityfocus.com/bid/49124http://www.ubuntu.com/usn/USN-1191-1https://bugzilla.redhat.com/show_bug.cgi?id=725760https://bugzilla.redhat.com/show_bug.cgi?id=727624https://exchange.xforce.ibmcloud.com/vulnerabilities/69141https://support.apple.com/HT205635https://support.apple.com/HT205637https://support.apple.com/HT205640https://support.apple.com/HT205641http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d11ee5886e9d9ec610051a206b135a4cdc1e09a0http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2011-007.txt.aschttp://lists.apple.com/archives/security-announce/2012/Feb/msg00000.htmlhttp://lists.apple.com/archives/security-announce/2012/May/msg00001.htmlhttp://lists.apple.com/archives/security-announce/2015/Dec/msg00000.htmlhttp://lists.apple.com/archives/security-announce/2015/Dec/msg00001.htmlhttp://lists.apple.com/archives/security-announce/2015/Dec/msg00002.htmlhttp://lists.apple.com/archives/security-announce/2015/Dec/msg00005.htmlhttp://lists.freedesktop.org/archives/xorg-announce/2011-August/001721.htmlhttp://lists.freedesktop.org/archives/xorg-announce/2011-August/001722.htmlhttp://lists.opensuse.org/opensuse-security-announce/2011-09/msg00019.htmlhttp://lists.opensuse.org/opensuse-security-announce/2011-12/msg00004.htmlhttp://secunia.com/advisories/45544http://secunia.com/advisories/45568http://secunia.com/advisories/45599http://secunia.com/advisories/45986http://secunia.com/advisories/46127http://secunia.com/advisories/48951http://securitytracker.com/id?1025920http://support.apple.com/kb/HT5130http://support.apple.com/kb/HT5281http://www.debian.org/security/2011/dsa-2293http://www.mandriva.com/security/advisories?name=MDVSA-2011:153http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/compress/zopen.c#rev1.17http://www.openwall.com/lists/oss-security/2011/08/10/10http://www.redhat.com/support/errata/RHSA-2011-1154.htmlhttp://www.redhat.com/support/errata/RHSA-2011-1155.htmlhttp://www.redhat.com/support/errata/RHSA-2011-1161.htmlhttp://www.redhat.com/support/errata/RHSA-2011-1834.htmlhttp://www.securityfocus.com/bid/49124http://www.ubuntu.com/usn/USN-1191-1https://bugzilla.redhat.com/show_bug.cgi?id=725760https://bugzilla.redhat.com/show_bug.cgi?id=727624https://exchange.xforce.ibmcloud.com/vulnerabilities/69141https://support.apple.com/HT205635https://support.apple.com/HT205637https://support.apple.com/HT205640https://support.apple.com/HT205641
2011-08-19
Published