Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 576864 (CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792, CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796, CVE-2016-2797, CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, CVE-2016-2801, CVE-2016-2802)

Summary: <media-gfx/graphite2-1.3.7: multiple font parsing vulnerabilities
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: atoth, office
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1315795
Whiteboard: A2 [glsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2016-03-09 14:58:24 UTC
From ${URL} :

Security researcher Holger Fuhrmannek and Mozilla security engineer Tyson Smith reported a number of security vulnerabilities in the Graphite 2 library affecting version 1.3.5.

The issue reported by Holger Fuhrmannek is a mechanism to induce stack corruption with a malicious graphite font. This leads to a potentially exploitable crash when the font is loaded.

Tyson Smith used the Address Sanitizer tool in concert with a custom software fuzzer to find a series uninitialized memory, out-of-bounds read, and out-of-bounds write errors when working with fuzzed graphite fonts.

To address these security vulnerabilities, Firefox 45 and Firefox ESR 38.7 have been updated to Graphite 2 version 1.3.6. 


External Reference:

https://www.mozilla.org/security/announce/2016/mfsa2016-37.html


Acknowledgements:

Name: the Mozilla project
Upstream: Holger Fuhrmannek, Tyson Smith


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Ian Stakenvicius (RETIRED) gentoo-dev 2016-03-17 20:39:53 UTC
Should we use this bug for other packages that bundle grapite2 (firefox, thunderbird) as well?
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-03-17 20:41:46 UTC
(In reply to Ian Stakenvicius from comment #1)
> Should we use this bug for other packages that bundle grapite2 (firefox,
> thunderbird) as well?

I tend to prefer trackers , for graphite2 example see bug 574972
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2016-03-21 00:46:01 UTC
Arches please stabilize

media-gfx/graphite2-1.3.7
dev-python/fonttools-3.0

Target: all stable arches

Note: alpha and sparc haven't even keyworded this yet, see bug 575782
Comment 4 Agostino Sarubbo gentoo-dev 2016-03-22 14:34:20 UTC
amd64 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2016-03-26 09:25:16 UTC
Stable for HPPA PPC64.
Comment 6 Agostino Sarubbo gentoo-dev 2016-03-27 10:16:58 UTC
ppc stable
Comment 7 Markus Meier gentoo-dev 2016-03-30 18:31:11 UTC
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-04-11 10:39:54 UTC
x86 stable
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2016-05-20 12:46:29 UTC
Alpha done.
Comment 10 Andreas K. Hüttel archtester gentoo-dev 2016-07-03 19:51:35 UTC
(In reply to Tobias Klausmann from comment #9)
> Alpha done.

alpha still missing, probably something went wrong...

ia64, sparc: ping!
Comment 11 Tobias Klausmann (RETIRED) gentoo-dev 2016-07-04 09:20:01 UTC
(In reply to Andreas K. Hüttel from comment #10)
> (In reply to Tobias Klausmann from comment #9)
> > Alpha done.
> 
> alpha still missing, probably something went wrong...

Fixed now.
Comment 12 Andreas K. Hüttel archtester gentoo-dev 2016-07-04 21:01:03 UTC
ia64, sparc: please continue in bug 585354 instead. 

office out
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2016-08-11 15:37:31 UTC
There is a call for stabilization in bug 585354, will continue in that one since it is almost done. But still need keywording.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2016-11-20 04:15:12 UTC
CVE-2016-2802 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2802):
  The graphite2::TtfUtil::CmapSubtable4NextCodepoint function in Graphite 2
  before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x
  before 38.7, allows remote attackers to cause a denial of service (buffer
  over-read) or possibly have unspecified other impact via a crafted Graphite
  smart font.

CVE-2016-2801 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2801):
  The graphite2::TtfUtil::CmapSubtable12Lookup function in TtfUtil.cpp in
  Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox
  ESR 38.x before 38.7, allows remote attackers to cause a denial of service
  (buffer over-read) or possibly have unspecified other impact via a crafted
  Graphite smart font, a different vulnerability than CVE-2016-2797.

CVE-2016-2800 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2800):
  The graphite2::Slot::getAttr function in Slot.cpp in Graphite 2 before
  1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before
  38.7, allows remote attackers to cause a denial of service (buffer
  over-read) or possibly have unspecified other impact via a crafted Graphite
  smart font, a different vulnerability than CVE-2016-2792.

CVE-2016-2799 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2799):
  Heap-based buffer overflow in the graphite2::Slot::setAttr function in
  Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox
  ESR 38.x before 38.7, allows remote attackers to cause a denial of service
  or possibly have unspecified other impact via a crafted Graphite smart font.

CVE-2016-2798 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2798):
  The graphite2::GlyphCache::Loader::Loader function in Graphite 2 before
  1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before
  38.7, allows remote attackers to cause a denial of service (buffer
  over-read) or possibly have unspecified other impact via a crafted Graphite
  smart font.

CVE-2016-2797 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2797):
  The graphite2::TtfUtil::CmapSubtable12Lookup function in Graphite 2 before
  1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before
  38.7, allows remote attackers to cause a denial of service (buffer
  over-read) or possibly have unspecified other impact via a crafted Graphite
  smart font, a different vulnerability than CVE-2016-2801.

CVE-2016-2796 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2796):
  Heap-based buffer overflow in the graphite2::vm::Machine::Code::Code
  function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0
  and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial
  of service or possibly have unspecified other impact via a crafted Graphite
  smart font.

CVE-2016-2795 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2795):
  The graphite2::FileFace::get_table_fn function in Graphite 2 before 1.3.6,
  as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7,
  does not initialize memory for an unspecified data structure, which allows
  remote attackers to cause a denial of service or possibly have unknown other
  impact via a crafted Graphite smart font.

CVE-2016-2794 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2794):
  The graphite2::TtfUtil::CmapSubtable12NextCodepoint function in Graphite 2
  before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x
  before 38.7, allows remote attackers to cause a denial of service (buffer
  over-read) or possibly have unspecified other impact via a crafted Graphite
  smart font.

CVE-2016-2793 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2793):
  CachedCmap.cpp in Graphite 2 before 1.3.6, as used in Mozilla Firefox before
  45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a
  denial of service (buffer over-read) or possibly have unspecified other
  impact via a crafted Graphite smart font.

CVE-2016-2792 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2792):
  The graphite2::Slot::getAttr function in Slot.cpp in Graphite 2 before
  1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before
  38.7, allows remote attackers to cause a denial of service (buffer
  over-read) or possibly have unspecified other impact via a crafted Graphite
  smart font, a different vulnerability than CVE-2016-2800.

CVE-2016-2791 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2791):
  The graphite2::GlyphCache::glyph function in Graphite 2 before 1.3.6, as
  used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows
  remote attackers to cause a denial of service (buffer over-read) or possibly
  have unspecified other impact via a crafted Graphite smart font.

CVE-2016-2790 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2790):
  The graphite2::TtfUtil::GetTableInfo function in Graphite 2 before 1.3.6, as
  used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, does
  not initialize memory for an unspecified data structure, which allows remote
  attackers to cause a denial of service or possibly have unknown other impact
  via a crafted Graphite smart font.

CVE-2016-1977 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1977):
  The Machine::Code::decoder::analysis::set_ref function in Graphite 2 before
  1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before
  38.7, allows remote attackers to execute arbitrary code or cause a denial of
  service (stack memory corruption) via a crafted Graphite smart font.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-01-24 16:42:02 UTC
This issue was resolved and addressed in
 GLSA 201701-63 at https://security.gentoo.org/glsa/201701-63
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-24 16:44:01 UTC
Re-opening for cleanup.

@ Maintainer(s): Please cleanup and drop <media-gfx/graphite2-1.3.7.
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2017-05-26 23:21:48 UTC
Version no longer in tree.
Arches and Maintainer(s), Thank you for your work.
Comment 18 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-03 11:08:30 UTC
All done.