Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 621724 (CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776, CVE-2017-7777, CVE-2017-7778)

Summary: <media-gfx/graphite2-1.3.10: multiple vulnerabilities
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: major Flags: stable-bot: sanity-check+
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2017-06-14 07:16:38 UTC
From ${URL} :

A number of security vulnerabilities in the Graphite 2 library including out-of-bounds reads, buffer overflow reads and writes, and the use of uninitialized memory. These issues were addressed in 
Graphite 2 version 1.3.10.


Graphite2 lz4::decompress out of bounds write (CVE-2017-7778)
Graphite2 out of bounds read [@ graphite2::Pass::readPass] (CVE-2017-7771)
Graphite2 heap-buffer-overflow write [@ lz4::decompress] (CVE-2017-7772)
Graphite2 heap-buffer-overflow write [@ lz4::decompress] src/Decompressor (CVE-2017-7773)
Graphite2 out of bounds read [@ graphite2::Silf::readGraphite] (CVE-2017-7774)
Graphite2 Assertion 'size() > n' failed (CVE-2017-7775)
Graphite2 heap-buffer-overflow read [@ graphite2::Silf::getClassGlyph] (CVE-2017-7776)
Graphite2 use of uninitialized memory [@ graphite2::GlyphCache::Loader::read_glyph] (CVE-2017-7777)

@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-15 20:00:30 UTC
@ Arches,

please test and mark stable: =media-gfx/graphite2-1.3.10
Comment 2 Agostino Sarubbo gentoo-dev 2017-06-16 14:10:52 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-06-17 17:26:43 UTC
x86 stable
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2017-06-20 14:59:46 UTC
Stable on alpha.
Comment 5 Agostino Sarubbo gentoo-dev 2017-06-21 12:05:11 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-06-21 12:18:28 UTC
ppc64 stable
Comment 7 Markus Meier gentoo-dev 2017-06-23 04:40:09 UTC
arm stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-06-30 07:37:56 UTC
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-07-07 09:09:22 UTC
sparc stable
Comment 10 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-17 00:25:45 UTC
Arches, please finish stabilizing hppa

Gentoo Security Padawan
Comment 11 Andreas Sturmlechner gentoo-dev 2017-10-08 12:58:08 UTC
Vulnerable version dropped in git commit 13cc021ade3a4a769c1ad789fb73f351fbd45a54, hppa destabilised.
Comment 12 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-08 16:42:09 UTC
GLSA Request filed.

Gentoo Security Padawan
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2017-10-13 23:38:03 UTC
This issue was resolved and addressed in
 GLSA 201710-13 at
by GLSA coordinator Aaron Bauman (b-man).
Comment 14 Matt Turner gentoo-dev 2018-03-21 21:09:11 UTC
hppa stable