Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 616034 (CVE-2017-5436)

Summary: <media-gfx/graphite2-1.3.8-r1: Out-of-bounds write with malicious font
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major Flags: stable-bot: sanity-check+
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa cve]
Package list:
=media-gfx/graphite2-1.3.8-r1
 Runtime testing required: ---

Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-04-19 18:26:18 UTC 
From https://www.mozilla.org/en-US/security/advisories/mfsa2017-11/:


CVE-2017-5436: Out-of-bounds write with malicious font in Graphite 2

Impact
    critical

Description

An out-of-bounds write in the Graphite 2 library triggered with a
maliciously crafted Graphite font. This results in a potentially
exploitable crash. This issue was fixed in the Graphite 2 library as well
as Mozilla products.
Comment 1 Ian Stakenvicius (RETIRED) gentoo-dev 2017-04-28 13:57:08 UTC 
Upstream hasn't released a version with fixes yet.

Graphite2 versions 1.3.8-r1 and 1.3.9-r1 include the backported commits that Mozilla used to address the CVE.

As 1.3.8 is current stable, 1.3.8-r1 should likely be the easiest one to stabilize quickly.

if office@ approves could we get arches CC'd for stabilization asap?
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2017-04-28 20:41:30 UTC 
(In reply to Ian Stakenvicius from comment #1)
> Upstream hasn't released a version with fixes yet.
> 
> Graphite2 versions 1.3.8-r1 and 1.3.9-r1 include the backported commits that
> Mozilla used to address the CVE.
> 
> As 1.3.8 is current stable, 1.3.8-r1 should likely be the easiest one to
> stabilize quickly.
> 

Do it!
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2017-04-29 12:33:16 UTC 
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2017-04-29 14:49:20 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-04-29 15:06:09 UTC 
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-04-30 09:40:08 UTC 
ppc64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-05-04 15:56:13 UTC 
x86 stable
Comment 8 Markus Meier gentoo-dev 2017-05-11 19:27:32 UTC 
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-05-12 14:55:47 UTC 
sparc stable
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2017-05-12 17:58:23 UTC 
Stable on alpha.
Comment 11 Markus Meier gentoo-dev 2017-05-13 06:25:26 UTC 
arm stable
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2017-05-21 07:18:03 UTC 
All security supported arches completed. ia64 please complete stabilization.

New GLSA Request filed.
Comment 13 Agostino Sarubbo gentoo-dev 2017-06-10 15:16:10 UTC 
ia64 stable.

Maintainer(s), please cleanup.
Comment 14 Andreas K. Hüttel archtester gentoo-dev 2017-06-10 21:17:23 UTC 
Cleanup done
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-06-22 19:10:31 UTC 
This issue was resolved and addressed in
 GLSA 201706-25 at https://security.gentoo.org/glsa/201706-25
by GLSA coordinator Kristian Fiskerstrand (K_F).