From ${URL} : Security researcher Holger Fuhrmannek and Mozilla security engineer Tyson Smith reported a number of security vulnerabilities in the Graphite 2 library affecting version 1.3.5. The issue reported by Holger Fuhrmannek is a mechanism to induce stack corruption with a malicious graphite font. This leads to a potentially exploitable crash when the font is loaded. Tyson Smith used the Address Sanitizer tool in concert with a custom software fuzzer to find a series uninitialized memory, out-of-bounds read, and out-of-bounds write errors when working with fuzzed graphite fonts. To address these security vulnerabilities, Firefox 45 and Firefox ESR 38.7 have been updated to Graphite 2 version 1.3.6. External Reference: https://www.mozilla.org/security/announce/2016/mfsa2016-37.html Acknowledgements: Name: the Mozilla project Upstream: Holger Fuhrmannek, Tyson Smith @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Should we use this bug for other packages that bundle grapite2 (firefox, thunderbird) as well?
(In reply to Ian Stakenvicius from comment #1) > Should we use this bug for other packages that bundle grapite2 (firefox, > thunderbird) as well? I tend to prefer trackers , for graphite2 example see bug 574972
Arches please stabilize media-gfx/graphite2-1.3.7 dev-python/fonttools-3.0 Target: all stable arches Note: alpha and sparc haven't even keyworded this yet, see bug 575782
amd64 stable
Stable for HPPA PPC64.
ppc stable
arm stable
x86 stable
Alpha done.
(In reply to Tobias Klausmann from comment #9) > Alpha done. alpha still missing, probably something went wrong... ia64, sparc: ping!
(In reply to Andreas K. Hüttel from comment #10) > (In reply to Tobias Klausmann from comment #9) > > Alpha done. > > alpha still missing, probably something went wrong... Fixed now.
ia64, sparc: please continue in bug 585354 instead. office out
There is a call for stabilization in bug 585354, will continue in that one since it is almost done. But still need keywording.
CVE-2016-2802 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2802): The graphite2::TtfUtil::CmapSubtable4NextCodepoint function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font. CVE-2016-2801 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2801): The graphite2::TtfUtil::CmapSubtable12Lookup function in TtfUtil.cpp in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font, a different vulnerability than CVE-2016-2797. CVE-2016-2800 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2800): The graphite2::Slot::getAttr function in Slot.cpp in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font, a different vulnerability than CVE-2016-2792. CVE-2016-2799 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2799): Heap-based buffer overflow in the graphite2::Slot::setAttr function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted Graphite smart font. CVE-2016-2798 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2798): The graphite2::GlyphCache::Loader::Loader function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font. CVE-2016-2797 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2797): The graphite2::TtfUtil::CmapSubtable12Lookup function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font, a different vulnerability than CVE-2016-2801. CVE-2016-2796 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2796): Heap-based buffer overflow in the graphite2::vm::Machine::Code::Code function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted Graphite smart font. CVE-2016-2795 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2795): The graphite2::FileFace::get_table_fn function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, does not initialize memory for an unspecified data structure, which allows remote attackers to cause a denial of service or possibly have unknown other impact via a crafted Graphite smart font. CVE-2016-2794 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2794): The graphite2::TtfUtil::CmapSubtable12NextCodepoint function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font. CVE-2016-2793 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2793): CachedCmap.cpp in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font. CVE-2016-2792 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2792): The graphite2::Slot::getAttr function in Slot.cpp in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font, a different vulnerability than CVE-2016-2800. CVE-2016-2791 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2791): The graphite2::GlyphCache::glyph function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font. CVE-2016-2790 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2790): The graphite2::TtfUtil::GetTableInfo function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, does not initialize memory for an unspecified data structure, which allows remote attackers to cause a denial of service or possibly have unknown other impact via a crafted Graphite smart font. CVE-2016-1977 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1977): The Machine::Code::decoder::analysis::set_ref function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to execute arbitrary code or cause a denial of service (stack memory corruption) via a crafted Graphite smart font.
This issue was resolved and addressed in GLSA 201701-63 at https://security.gentoo.org/glsa/201701-63 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for cleanup. @ Maintainer(s): Please cleanup and drop <media-gfx/graphite2-1.3.7.
Version no longer in tree. Arches and Maintainer(s), Thank you for your work.
All done.
