From https://www.mozilla.org/en-US/security/advisories/mfsa2017-11/: CVE-2017-5436: Out-of-bounds write with malicious font in Graphite 2 Impact critical Description An out-of-bounds write in the Graphite 2 library triggered with a maliciously crafted Graphite font. This results in a potentially exploitable crash. This issue was fixed in the Graphite 2 library as well as Mozilla products.
Upstream hasn't released a version with fixes yet. Graphite2 versions 1.3.8-r1 and 1.3.9-r1 include the backported commits that Mozilla used to address the CVE. As 1.3.8 is current stable, 1.3.8-r1 should likely be the easiest one to stabilize quickly. if office@ approves could we get arches CC'd for stabilization asap?
(In reply to Ian Stakenvicius from comment #1) > Upstream hasn't released a version with fixes yet. > > Graphite2 versions 1.3.8-r1 and 1.3.9-r1 include the backported commits that > Mozilla used to address the CVE. > > As 1.3.8 is current stable, 1.3.8-r1 should likely be the easiest one to > stabilize quickly. > Do it!
Stable for HPPA.
amd64 stable
ppc stable
ppc64 stable
x86 stable
arm stable
sparc stable
Stable on alpha.
All security supported arches completed. ia64 please complete stabilization. New GLSA Request filed.
ia64 stable. Maintainer(s), please cleanup.
Cleanup done
This issue was resolved and addressed in GLSA 201706-25 at https://security.gentoo.org/glsa/201706-25 by GLSA coordinator Kristian Fiskerstrand (K_F).