Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 572856 (CVE-2015-8947, CVE-2016-2052) - <media-libs/harfbuzz-1.0.6: multiple vulnerabilities (CVE-{2015-8947,2016-2052)
Summary: <media-libs/harfbuzz-1.0.6: multiple vulnerabilities (CVE-{2015-8947,2016-2052)
Alias: CVE-2015-8947, CVE-2016-2052
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa cve]
Depends on: 584468 gnome-3.20-stable
  Show dependency tree
Reported: 2016-01-25 11:51 UTC by Agostino Sarubbo
Modified: 2017-01-31 12:28 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-01-25 11:51:06 UTC
From ${URL} :

Multiple unspecified vulnerabilities in HarfBuzz before 1.0.6 were found, as used in Google Chrome before 48.0.2564.82, allowing attackers to cause a denial of service or possibly have other impact via unknown vectors.

Upstream tracking bug:

@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2016-03-26 21:29:44 UTC
@pacho: any specific reason why this has to wait for the slow gnome stablereq?
Comment 2 Mart Raudsepp gentoo-dev 2016-03-27 09:53:24 UTC
We haven't tested the effect of the newer harfbuzz on very old gnome 3.16.
We do know that a newer cantarell font has to be stabled together with this newer harfbuzz, or there will be huge issues with GNOME default font rendering. I believe it would be fine to stabilize this separately, when done together with media-fonts/cantarell-0.0.24, though gnome stable has been in queue for a long while already too.
Comment 3 Pacho Ramos gentoo-dev 2016-04-02 13:32:35 UTC
Well, the bug has already the arches CCed and ready for arch teams to go into it and fix this and many other pending bugs (some also security bugs).

But, well, we all know how we all rely on Agostino for doing most of that work :'( (well, I already did amd64, I will try to finish the x86 stabilization... but I don't have enough manpower to do all the other arches...)
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2016-11-19 21:10:16 UTC

media-libs/harfbuzz-1.2.7 is being stabilized in bug 584468
media-libs/harfbuzz-1.3.1 is being stabilized in bug 587010

(both open)

Essentially ia64 and sparc are missing in either of these bugs, then the vulnerable version can be removed.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-30 02:22:36 UTC
All arches stable (remaining arches were stabilized in depending bugs).

New GLSA request filed.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2017-01-31 12:28:08 UTC
This issue was resolved and addressed in
 GLSA 201701-76 at
by GLSA coordinator Thomas Deutschmann (whissi).