| Summary: | <media-libs/harfbuzz-1.0.6: multiple vulnerabilities (CVE-{2015-8947,2016-2052) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | gnome, office |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1301553 | ||
| Whiteboard: | A2 [glsa cve] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 584468, 587010 | ||
| Bug Blocks: | |||
@pacho: any specific reason why this has to wait for the slow gnome stablereq? We haven't tested the effect of the newer harfbuzz on very old gnome 3.16. We do know that a newer cantarell font has to be stabled together with this newer harfbuzz, or there will be huge issues with GNOME default font rendering. I believe it would be fine to stabilize this separately, when done together with media-fonts/cantarell-0.0.24, though gnome stable has been in queue for a long while already too. Well, the bug has already the arches CCed and ready for arch teams to go into it and fix this and many other pending bugs (some also security bugs). But, well, we all know how we all rely on Agostino for doing most of that work :'( (well, I already did amd64, I will try to finish the x86 stabilization... but I don't have enough manpower to do all the other arches...) media-libs/harfbuzz-1.2.7 is being stabilized in bug 584468 media-libs/harfbuzz-1.3.1 is being stabilized in bug 587010 (both open) Essentially ia64 and sparc are missing in either of these bugs, then the vulnerable version can be removed. All arches stable (remaining arches were stabilized in depending bugs). New GLSA request filed. This issue was resolved and addressed in GLSA 201701-76 at https://security.gentoo.org/glsa/201701-76 by GLSA coordinator Thomas Deutschmann (whissi). |
From ${URL} : Multiple unspecified vulnerabilities in HarfBuzz before 1.0.6 were found, as used in Google Chrome before 48.0.2564.82, allowing attackers to cause a denial of service or possibly have other impact via unknown vectors. Upstream tracking bug: https://code.google.com/p/chromium/issues/detail?id=544270 @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.