From $URL: The issues that Talos identified include the following: An exploitable denial of service vulnerability exists in the font handling of Libgraphite. A specially crafted font can cause an out-of-bounds read potentially resulting in an information leak or denial of service. A specially crafted font can cause a buffer overflow resulting in potential code execution. An exploitable NULL pointer dereference exists in the bidirectional font handling functionality of Libgraphite. A specially crafted font can cause a NULL pointer dereference resulting in a crash. Additional information on each CVE: - CVE-2016-1521 :: http://www.talosintel.com/reports/TALOS-2016-0061/ and http://www.talosintel.com/reports/TALOS-2016-0058/ - CVE-2016-1522 :: http://www.talosintel.com/reports/TALOS-2016-0060/ and http://www.talosintel.com/reports/TALOS-2016-0057/ - CVE-2016-1523 :: http://www.talosintel.com/reports/TALOS-2016-0059/ - CVE-2016-1526 :: none By inspecting the commits, it looks like the problem described in http://www.talosintel.com/reports/TALOS-2016-0059/ has been taken care of, see https://github.com/silnrsi/graphite/commit/6106dcbd5bc4df2e6ef6a7c632c69ca71ba2b518 The vulnerable version reported in each advisory is 1.2.4 Reproducible: Always
*** Bug 571768 has been marked as a duplicate of this bug. ***
Bumped 1.3.5 which contains the commit referenced in comment #0 Let's give it some time for testing
I havent seen any sudden deluge in bugs, so let's go ahead. Arches please stabilize =media-gfx/graphite2-1.3.5 Target: all stable arches
amd64 stable
I'm not sure if this is correct to place it here, but what about LibreOffice 5.0.5.2 which is also stable but depends on graphite2-1.2? There's a conflict: media-gfx/graphite2:0 (media-gfx/graphite2-1.3.5:0/0::gentoo, ebuild scheduled for merge) conflicts with =media-gfx/graphite2-1.2* required by (app-office/libreoffice-bin-5.0.5.2:0/0::gentoo, ebuild scheduled for merge
(In reply to Gleb from comment #5) > I'm not sure if this is correct to place it here, but what about LibreOffice > 5.0.5.2 which is also stable but depends on graphite2-1.2? There's a > conflict: > > media-gfx/graphite2:0 > > (media-gfx/graphite2-1.3.5:0/0::gentoo, ebuild scheduled for merge) > conflicts with > =media-gfx/graphite2-1.2* required by > (app-office/libreoffice-bin-5.0.5.2:0/0::gentoo, ebuild scheduled for merge commit 0844590de4e93e18b862d01b1a3ac6cdd2c30566 (HEAD -> master, origin/master, origin/HEAD) Author: Andreas K. Hüttel <dilfridge@gentoo.org> Date: Thu Mar 3 01:03:33 2016 +0100 app-office/libreoffice-bin: Revbump to relax graphite2 dependencies Package-Manager: portage-2.2.27 app-office/libreoffice-bin/libreoffice-bin-5.0.5.2-r1.ebuild | 237 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ app-office/libreoffice-bin/libreoffice-bin-5.0.5.2.ebuild | 237 --------------------------------------------------------------------------------------- 2 files changed, 237 insertions(+), 237 deletions(-)
Stable for PPC64.
Stable for HPPA.
arm stable
x86 stable
Stable on alpha.
ppc stable
sparc stable
ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Cleanup done. 1.2.1 remains in tree, only keyworded s390, since this arch has not keyworded any newer version yet. Then again s390 is not security-supported.
CVE-2016-1526 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1526): The TtfUtil:LocaLookup function in TtfUtil.cpp in Libgraphite in Graphite 2 1.2.4, as used in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.6.1, incorrectly validates a size value, which allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and application crash) via a crafted Graphite smart font. CVE-2016-1523 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1523): The SillMap::readFace function in FeatureMap.cpp in Libgraphite in Graphite 2 1.2.4, as used in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.6.1, mishandles a return value, which allows remote attackers to cause a denial of service (missing initialization, NULL pointer dereference, and application crash) via a crafted Graphite smart font. CVE-2016-1522 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1522): Code.cpp in Libgraphite in Graphite 2 1.2.4, as used in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.6.1, does not consider recursive load calls during a size check, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly execute arbitrary code via a crafted Graphite smart font. CVE-2016-1521 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1521): The directrun function in directmachine.cpp in Libgraphite in Graphite 2 1.2.4, as used in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.6.1, does not validate a certain skip operation, which allows remote attackers to execute arbitrary code, obtain sensitive information, or cause a denial of service (out-of-bounds read and application crash) via a crafted Graphite smart font.
New GLSA request filed.
Office out.
This issue was resolved and addressed in GLSA 201701-63 at https://security.gentoo.org/glsa/201701-63 by GLSA coordinator Thomas Deutschmann (whissi).
