Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 621724 (CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776, CVE-2017-7777, CVE-2017-7778) - <media-gfx/graphite2-1.3.10: multiple vulnerabilities
Summary: <media-gfx/graphite2-1.3.10: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776, CVE-2017-7777, CVE-2017-7778
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL: https://www.mozilla.org/en-US/securit...
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-14 07:16 UTC by Agostino Sarubbo
Modified: 2018-03-21 21:09 UTC (History)
0 users

See Also:
Package list:
media-gfx/graphite2-1.3.10
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-06-14 07:16:38 UTC 
From ${URL} :

A number of security vulnerabilities in the Graphite 2 library including out-of-bounds reads, buffer overflow reads and writes, and the use of uninitialized memory. These issues were addressed in 
Graphite 2 version 1.3.10.

References

Graphite2 lz4::decompress out of bounds write (CVE-2017-7778)
Graphite2 out of bounds read [@ graphite2::Pass::readPass] (CVE-2017-7771)
Graphite2 heap-buffer-overflow write [@ lz4::decompress] (CVE-2017-7772)
Graphite2 heap-buffer-overflow write [@ lz4::decompress] src/Decompressor (CVE-2017-7773)
Graphite2 out of bounds read [@ graphite2::Silf::readGraphite] (CVE-2017-7774)
Graphite2 Assertion 'size() > n' failed (CVE-2017-7775)
Graphite2 heap-buffer-overflow read [@ graphite2::Silf::getClassGlyph] (CVE-2017-7776)
Graphite2 use of uninitialized memory [@ graphite2::GlyphCache::Loader::read_glyph] (CVE-2017-7777)


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-15 20:00:30 UTC 
@ Arches,

please test and mark stable: =media-gfx/graphite2-1.3.10
Comment 2 Agostino Sarubbo gentoo-dev 2017-06-16 14:10:52 UTC 
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-06-17 17:26:43 UTC 
x86 stable
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2017-06-20 14:59:46 UTC 
Stable on alpha.
Comment 5 Agostino Sarubbo gentoo-dev 2017-06-21 12:05:11 UTC 
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-06-21 12:18:28 UTC 
ppc64 stable
Comment 7 Markus Meier gentoo-dev 2017-06-23 04:40:09 UTC 
arm stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-06-30 07:37:56 UTC 
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-07-07 09:09:22 UTC 
sparc stable
Comment 10 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-17 00:25:45 UTC 
Arches, please finish stabilizing hppa

Gentoo Security Padawan
ChrisADR
Comment 11 Andreas Sturmlechner gentoo-dev 2017-10-08 12:58:08 UTC 
Vulnerable version dropped in git commit 13cc021ade3a4a769c1ad789fb73f351fbd45a54, hppa destabilised.
Comment 12 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-08 16:42:09 UTC 
GLSA Request filed.

Gentoo Security Padawan
ChrisADR
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2017-10-13 23:38:03 UTC 
This issue was resolved and addressed in
 GLSA 201710-13 at https://security.gentoo.org/glsa/201710-13
by GLSA coordinator Aaron Bauman (b-man).
Comment 14 Matt Turner gentoo-dev 2018-03-21 21:09:11 UTC 
hppa stable