Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 616034 (CVE-2017-5436) - <media-gfx/graphite2-1.3.8-r1: Out-of-bounds write with malicious font
Summary: <media-gfx/graphite2-1.3.8-r1: Out-of-bounds write with malicious font
Status: RESOLVED FIXED
Alias: CVE-2017-5436
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-19 18:26 UTC by Thomas Deutschmann
Modified: 2017-06-22 19:10 UTC (History)
0 users

See Also:
Package list:
=media-gfx/graphite2-1.3.8-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2017-04-19 18:26:18 UTC
From https://www.mozilla.org/en-US/security/advisories/mfsa2017-11/:


CVE-2017-5436: Out-of-bounds write with malicious font in Graphite 2

Impact
    critical

Description

An out-of-bounds write in the Graphite 2 library triggered with a
maliciously crafted Graphite font. This results in a potentially
exploitable crash. This issue was fixed in the Graphite 2 library as well
as Mozilla products.
Comment 1 Ian Stakenvicius gentoo-dev 2017-04-28 13:57:08 UTC
Upstream hasn't released a version with fixes yet.

Graphite2 versions 1.3.8-r1 and 1.3.9-r1 include the backported commits that Mozilla used to address the CVE.

As 1.3.8 is current stable, 1.3.8-r1 should likely be the easiest one to stabilize quickly.

if office@ approves could we get arches CC'd for stabilization asap?
Comment 2 Andreas K. Hüttel gentoo-dev 2017-04-28 20:41:30 UTC
(In reply to Ian Stakenvicius from comment #1)
> Upstream hasn't released a version with fixes yet.
> 
> Graphite2 versions 1.3.8-r1 and 1.3.9-r1 include the backported commits that
> Mozilla used to address the CVE.
> 
> As 1.3.8 is current stable, 1.3.8-r1 should likely be the easiest one to
> stabilize quickly.
> 

Do it!
Comment 3 Jeroen Roovers gentoo-dev 2017-04-29 12:33:16 UTC
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2017-04-29 14:49:20 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-04-29 15:06:09 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-04-30 09:40:08 UTC
ppc64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-05-04 15:56:13 UTC
x86 stable
Comment 8 Markus Meier gentoo-dev 2017-05-11 19:27:32 UTC
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-05-12 14:55:47 UTC
sparc stable
Comment 10 Tobias Klausmann gentoo-dev 2017-05-12 17:58:23 UTC
Stable on alpha.
Comment 11 Markus Meier gentoo-dev 2017-05-13 06:25:26 UTC
arm stable
Comment 12 Yury German Gentoo Infrastructure gentoo-dev Security 2017-05-21 07:18:03 UTC
All security supported arches completed. ia64 please complete stabilization.

New GLSA Request filed.
Comment 13 Agostino Sarubbo gentoo-dev 2017-06-10 15:16:10 UTC
ia64 stable.

Maintainer(s), please cleanup.
Comment 14 Andreas K. Hüttel gentoo-dev 2017-06-10 21:17:23 UTC
Cleanup done
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-06-22 19:10:31 UTC
This issue was resolved and addressed in
 GLSA 201706-25 at https://security.gentoo.org/glsa/201706-25
by GLSA coordinator Kristian Fiskerstrand (K_F).