Package: libfontconfig1 Version: 2.13.0-5 Severity: normal Dear Maintainer,
after upgrading my version of libfontconfig1, I started getting lots of these messages in some applications: Fontconfig error: failed reading config file It wasn't clear what config file it couldn't read, but strace showed that it uses a bizarre way of resolving symlinks itself rather than just trying to read files: [pid 8503] access("/etc/fonts/conf.d/65-0-fonts-beng-extra.conf", R_OK) = 0 [pid 8503] access("/etc/fonts/conf.d/65-0-fonts-beng-extra.conf", R_OK) = 0 [pid 8503] readlink("/etc/fonts/conf.d/65-0-fonts-beng-extra.conf", "../conf.avail/65-0-fonts-beng-ex"..., 4095) = 40 [pid 8503] stat("../conf.avail/65-0-fonts-beng-extra.conf", 0x7fffffff3460) = -1 ENOENT (No such file or directory) [pid 8503] openat(AT_FDCWD, "/etc/fonts/conf.d/65-0-fonts-beng-extra.conf", O_RDONLY|O_CLOEXEC) = 15 Fontconfig error: failed reading config file That is, instead of trying to read the config file(s) it readlinks them and then uses the target as if it were absolute paths, even if the path is relative (it does manage to then open the correct file, but still I get a message for every relative path). Indeed, running affected programs in /etc/fonts/conf.d makes the messages go away. I don't know a way to exploit this (it probably isn't exploitable), but this could potentially be a security issue if fontconfig can be tricked into reading the wrong files merely by running a program in the wrong directory. -- System Information: Debian Release: 9.5 APT prefers stable APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.70-041470-generic (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/bash Init: systemd (via /run/systemd/system) Versions of packages libfontconfig1:amd64 depends on: ii fontconfig-config 2.13.0-5 ii libc6 2.27-6 ii libexpat1 2.2.0-2+deb9u1 ii libfreetype6 2.8.1-2 ii libuuid1 2.29.2-1+deb9u1 libfontconfig1:amd64 recommends no packages. libfontconfig1:amd64 suggests no packages. -- no debconf information