Ruben Unteregger

**Name of the Vulnerable Software and Affected Versions** xfstt version 1.4 **Description** The issue concerns multiple vulnerabilities in the xfstt package of the Debian GNU/Linux operating system, which can be exploited remotely to compromise the confidentiality, integrity, and availability of protected information. Specifically, the X Fontserver for Truetype fonts (xfstt) is vulnerable to remote attackers who can cause a denial of service and possibly execute arbitrary code via certain packets, such as FS QueryXExtents8 or FS QueryXBitmaps8, with a large num ranges value. This can lead to an out-of-bounds array access. **Recommendations** For xfstt version 1.4, consider restricting access to the FS QueryXExtents8 and FS QueryXBitmaps8 packets to minimize the risk of exploitation until a patch is available. As a temporary workaround, limiting the num ranges value in these packets may also help mitigate the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.