Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 574276

Summary: <media-gfx/graphite2-1.3.5: Multiple vulnerabilities (CVE-2016-{1521,1522,1523,1526})
Product: Gentoo Security Reporter: Olivier Huber <oli.huber>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: alexander, hanno, luke
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.talosintel.com/reports/TALOS-2016-0058/
See Also: https://bugs.gentoo.org/show_bug.cgi?id=574596
https://bugs.gentoo.org/show_bug.cgi?id=574968
Whiteboard: A2 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 574972    

Description Olivier Huber 2016-02-09 16:18:51 UTC
From $URL:
The issues that Talos identified include the following:

    An exploitable denial of service vulnerability exists in the font handling of Libgraphite. A specially crafted font can cause an out-of-bounds read potentially resulting in an information leak or denial of service. 
    A specially crafted font can cause a buffer overflow resulting in potential code execution. 
    An exploitable NULL pointer dereference exists in the bidirectional font handling functionality of Libgraphite. A specially crafted font can cause a NULL pointer dereference resulting in a crash. 

Additional information on each CVE:

- CVE-2016-1521 :: http://www.talosintel.com/reports/TALOS-2016-0061/ and http://www.talosintel.com/reports/TALOS-2016-0058/
- CVE-2016-1522 :: http://www.talosintel.com/reports/TALOS-2016-0060/ and http://www.talosintel.com/reports/TALOS-2016-0057/
- CVE-2016-1523 :: http://www.talosintel.com/reports/TALOS-2016-0059/
- CVE-2016-1526 :: none

By inspecting the commits, it looks like the problem described in http://www.talosintel.com/reports/TALOS-2016-0059/ has been taken care of, see https://github.com/silnrsi/graphite/commit/6106dcbd5bc4df2e6ef6a7c632c69ca71ba2b518

The vulnerable version reported in each advisory is 1.2.4 

Reproducible: Always
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2016-02-16 10:25:39 UTC
*** Bug 571768 has been marked as a duplicate of this bug. ***
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2016-02-16 10:32:37 UTC
Bumped 1.3.5 which contains the commit referenced in comment #0

Let's give it some time for testing
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2016-02-28 22:35:23 UTC
I havent seen any sudden deluge in bugs, so let's go ahead. 

Arches please stabilize 
=media-gfx/graphite2-1.3.5

Target: all stable arches
Comment 4 Agostino Sarubbo gentoo-dev 2016-03-02 14:00:46 UTC
amd64 stable
Comment 5 Gleb 2016-03-02 23:48:54 UTC
I'm not sure if this is correct to place it here, but what about LibreOffice 5.0.5.2 which is also stable but depends on graphite2-1.2? There's a conflict:

media-gfx/graphite2:0

  (media-gfx/graphite2-1.3.5:0/0::gentoo, ebuild scheduled for merge) conflicts with
    =media-gfx/graphite2-1.2* required by (app-office/libreoffice-bin-5.0.5.2:0/0::gentoo, ebuild scheduled for merge
Comment 6 Andreas K. Hüttel archtester gentoo-dev 2016-03-03 00:04:25 UTC
(In reply to Gleb from comment #5)
> I'm not sure if this is correct to place it here, but what about LibreOffice
> 5.0.5.2 which is also stable but depends on graphite2-1.2? There's a
> conflict:
> 
> media-gfx/graphite2:0
> 
>   (media-gfx/graphite2-1.3.5:0/0::gentoo, ebuild scheduled for merge)
> conflicts with
>     =media-gfx/graphite2-1.2* required by
> (app-office/libreoffice-bin-5.0.5.2:0/0::gentoo, ebuild scheduled for merge

commit 0844590de4e93e18b862d01b1a3ac6cdd2c30566 (HEAD -> master, origin/master, origin/HEAD)
Author: Andreas K. Hüttel <dilfridge@gentoo.org>
Date:   Thu Mar 3 01:03:33 2016 +0100

    app-office/libreoffice-bin: Revbump to relax graphite2 dependencies
    
    Package-Manager: portage-2.2.27

 app-office/libreoffice-bin/libreoffice-bin-5.0.5.2-r1.ebuild | 237 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 app-office/libreoffice-bin/libreoffice-bin-5.0.5.2.ebuild    | 237 ---------------------------------------------------------------------------------------
 2 files changed, 237 insertions(+), 237 deletions(-)
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2016-03-06 08:34:12 UTC
Stable for PPC64.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2016-03-06 14:59:00 UTC
Stable for HPPA.
Comment 9 Markus Meier gentoo-dev 2016-03-11 16:38:58 UTC
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-03-15 16:42:41 UTC
x86 stable
Comment 11 Tobias Klausmann (RETIRED) gentoo-dev 2016-03-16 09:21:21 UTC
Stable on alpha.
Comment 12 Agostino Sarubbo gentoo-dev 2016-03-16 14:11:28 UTC
ppc stable
Comment 13 Agostino Sarubbo gentoo-dev 2016-03-19 12:30:11 UTC
sparc stable
Comment 14 Agostino Sarubbo gentoo-dev 2016-03-20 12:26:18 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 15 Andreas K. Hüttel archtester gentoo-dev 2016-03-21 00:41:37 UTC
Cleanup done. 

1.2.1 remains in tree, only keyworded s390, since this arch has not keyworded any newer version yet. Then again s390 is not security-supported.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2016-06-30 12:11:47 UTC
CVE-2016-1526 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1526):
  The TtfUtil:LocaLookup function in TtfUtil.cpp in Libgraphite in Graphite 2
  1.2.4, as used in Mozilla Firefox before 43.0 and Firefox ESR 38.x before
  38.6.1, incorrectly validates a size value, which allows remote attackers to
  obtain sensitive information or cause a denial of service (out-of-bounds
  read and application crash) via a crafted Graphite smart font.

CVE-2016-1523 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1523):
  The SillMap::readFace function in FeatureMap.cpp in Libgraphite in Graphite
  2 1.2.4, as used in Mozilla Firefox before 43.0 and Firefox ESR 38.x before
  38.6.1, mishandles a return value, which allows remote attackers to cause a
  denial of service (missing initialization, NULL pointer dereference, and
  application crash) via a crafted Graphite smart font.

CVE-2016-1522 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1522):
  Code.cpp in Libgraphite in Graphite 2 1.2.4, as used in Mozilla Firefox
  before 43.0 and Firefox ESR 38.x before 38.6.1, does not consider recursive
  load calls during a size check, which allows remote attackers to cause a
  denial of service (heap-based buffer overflow) or possibly execute arbitrary
  code via a crafted Graphite smart font.

CVE-2016-1521 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1521):
  The directrun function in directmachine.cpp in Libgraphite in Graphite 2
  1.2.4, as used in Mozilla Firefox before 43.0 and Firefox ESR 38.x before
  38.6.1, does not validate a certain skip operation, which allows remote
  attackers to execute arbitrary code, obtain sensitive information, or cause
  a denial of service (out-of-bounds read and application crash) via a crafted
  Graphite smart font.
Comment 17 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-06-30 12:15:26 UTC
New GLSA request filed.
Comment 18 Andreas K. Hüttel archtester gentoo-dev 2016-07-02 20:48:15 UTC
Office out.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2017-01-24 16:41:53 UTC
This issue was resolved and addressed in
 GLSA 201701-63 at https://security.gentoo.org/glsa/201701-63
by GLSA coordinator Thomas Deutschmann (whissi).