Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 574968 - <www-client/seamonkey-2.40: arbitrary code execution in bundled graphite library (CVE-2016-{1521,1522,1523,1526})
Summary: <www-client/seamonkey-2.40: arbitrary code execution in bundled graphite libr...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa cve blocked]
Keywords:
Depends on: 604500
Blocks: CVE-2016-1521, CVE-2016-1522, CVE-2016-1523, CVE-2016-1526
  Show dependency tree
 
Reported: 2016-02-17 14:49 UTC by Chí-Thanh Christopher Nguyễn
Modified: 2017-01-13 15:03 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Chí-Thanh Christopher Nguyễn gentoo-dev 2016-02-17 14:49:18 UTC
It appears that www-client/seamonkey-2.38 bundles graphite 1.2.4 which is vulnerable to CVE-2016-1523 and others.
Comment 1 Lars Wendler (Polynomial-C) gentoo-dev 2016-02-17 15:08:35 UTC
2.39 is also affected so no stable candidate.

I gonna check seamonkey-2.40_pre4
Comment 3 Lars Wendler (Polynomial-C) gentoo-dev 2016-03-06 13:21:21 UTC
commit 9a303064ac8267030c490c5a6efaac6a93756e9a
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Sun Mar 6 14:18:03 2016

    www-client/seamonkey: Bump to version 2.40_pre4 (with additional graphite2 fix)

    Package-Manager: portage-2.2.27
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>


Unfortunately seamonkey upstream seems to have severe problems with their release process so I decided to go with their latest release candidate and added the graphite2 fix on to.
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-06-21 09:55:43 UTC
@maintainer(s), is this ready for stable?
Comment 5 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-06-30 12:31:31 UTC
@arches, please stabilize:

=www-client/seamonkey-2.40

New GLSA request filed.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2016-06-30 12:32:57 UTC
CVE-2016-1526 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1526):
  The TtfUtil:LocaLookup function in TtfUtil.cpp in Libgraphite in Graphite 2
  1.2.4, as used in Mozilla Firefox before 43.0 and Firefox ESR 38.x before
  38.6.1, incorrectly validates a size value, which allows remote attackers to
  obtain sensitive information or cause a denial of service (out-of-bounds
  read and application crash) via a crafted Graphite smart font.

CVE-2016-1523 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1523):
  The SillMap::readFace function in FeatureMap.cpp in Libgraphite in Graphite
  2 1.2.4, as used in Mozilla Firefox before 43.0 and Firefox ESR 38.x before
  38.6.1, mishandles a return value, which allows remote attackers to cause a
  denial of service (missing initialization, NULL pointer dereference, and
  application crash) via a crafted Graphite smart font.

CVE-2016-1522 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1522):
  Code.cpp in Libgraphite in Graphite 2 1.2.4, as used in Mozilla Firefox
  before 43.0 and Firefox ESR 38.x before 38.6.1, does not consider recursive
  load calls during a size check, which allows remote attackers to cause a
  denial of service (heap-based buffer overflow) or possibly execute arbitrary
  code via a crafted Graphite smart font.

CVE-2016-1521 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1521):
  The directrun function in directmachine.cpp in Libgraphite in Graphite 2
  1.2.4, as used in Mozilla Firefox before 43.0 and Firefox ESR 38.x before
  38.6.1, does not validate a certain skip operation, which allows remote
  attackers to execute arbitrary code, obtain sensitive information, or cause
  a denial of service (out-of-bounds read and application crash) via a crafted
  Graphite smart font.
Comment 7 Agostino Sarubbo gentoo-dev 2016-06-30 14:04:14 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-06-30 14:04:40 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 9 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-07-01 06:19:38 UTC
Shall we include seamonkey-bin?
Comment 10 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-07-16 13:35:08 UTC
@maintainer(s), what is the situation with -bin ?  How would you like to proceed?
Comment 11 Ian Stakenvicius gentoo-dev 2016-07-17 02:02:08 UTC
seamonkey-bin-2.40 can go stable an time, but it's vulnerable to everything that Firefox-43-45.1 is vulnerable to.

I just bumped an unofficial 2.44 release, if that can be evaluated as ok enough for arch teams then I'm ok for it to go stable so these others can be dropped.
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-07-20 09:08:45 UTC
(In reply to Ian Stakenvicius from comment #11)
> seamonkey-bin-2.40 can go stable an time, but it's vulnerable to everything
> that Firefox-43-45.1 is vulnerable to.
> 
> I just bumped an unofficial 2.44 release, if that can be evaluated as ok
> enough for arch teams then I'm ok for it to go stable so these others can be
> dropped.

Ok, we will hold off then.
Comment 13 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-10-21 06:45:15 UTC
Any updates on -bin here?  2.44_pre20160608 seems to be the latest version without this vulnerability.
Comment 14 Ian Stakenvicius gentoo-dev 2016-10-21 15:22:29 UTC
(In reply to Aaron Bauman from comment #13)
> Any updates on -bin here?  2.44_pre20160608 seems to be the latest version
> without this vulnerability.

Upstream still hasn't done an official release, and the unofficial release builder ran into issuesa while back; I'll check to see if they're back up and running again.

For the most vulnerability-free seamonkey experience, it would likely be best to use the www-client/seamonkey-2.42.x series as I'm using the latest released ESR tarballs (45.x currently) for their source code (again, no releases upstream so we have to get creative with the source tarballs too).
Comment 15 Lars Wendler (Polynomial-C) gentoo-dev 2016-10-21 17:22:30 UTC
Upstream is preparing 2.46 release. See https://archive.mozilla.org/pub/seamonkey/candidates/2.46-candidates/
Comment 16 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-11-25 02:42:41 UTC
(In reply to Lars Wendler (Polynomial-C) from comment #15)
> Upstream is preparing 2.46 release. See
> https://archive.mozilla.org/pub/seamonkey/candidates/2.46-candidates/

Can -bin be bumped yet to at least 2.40?
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2017-01-13 15:03:06 UTC
This issue was resolved and addressed in
 GLSA 201701-35 at https://security.gentoo.org/glsa/201701-35
by GLSA coordinator Aaron Bauman (b-man).