Bug 17866

Summary: graphite2 new security issues fixed upstream in 1.3.6
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: lewyssmith, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/678388/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK advisory
Source RPM: graphite2-1.3.5-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-03-02 19:59:48 CET 
Fedora has issued an advisory on March 1:
https://lists.fedoraproject.org/pipermail/package-announce/2016-March/178192.html

Updated packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated graphite2 packages fix security vulnerabilities:

The graphite2 package has been updated to version 1.3.6 which fixes
multiple unspecified security issues.

References:
https://github.com/silnrsi/graphite/releases/tag/1.3.6
https://lists.fedoraproject.org/pipermail/package-announce/2016-March/178192.html
========================

Updated packages in core/updates_testing:
========================
graphite2-1.3.6-1.mga5
libgraphite2_3-1.3.6-1.mga5
libgraphite2-devel-1.3.6-1.mga5

from graphite2-1.3.6-1.mga5.src.rpm
Comment 1 David Walser 2016-03-02 20:00:12 CET 
Test procedure:
https://bugs.mageia.org/show_bug.cgi?id=17780#c6

Whiteboard: (none) => has_procedure

Comment 2 Len Lawrence 2016-03-03 08:12:00 CET 
mga5  i586 virtualbox  Mate

Installed graphite2 and ran some checks then installed the update candidate and went back to the fontdemo page suggested in the link in comment #1.
All fonts displayed correctly except Padauk (not installed).
"The quick brown FOX jumps over the lazy DOG" displayed as
THe QuiCK BRoWN FoX JuMPS oVeR THe LaZY DoG
Downloaded and installed the Scheherazade and NeoAssyrian files and installed the TTF fonts.  In the libreoffice menu these displayed in Roman characters - expected Arabic and cuneiform.

Need to do some research.

CC: (none) => tarazed25

Comment 3 Len Lawrence 2016-03-03 08:23:25 CET 
Had a quick look at the l18n/l10n wiki page and suspect that the rendering of the fonts has something to do with that (localization).
Comment 4 Len Lawrence 2016-03-03 09:53:33 CET 
Installed the Simple Graphics Font and tested it using libreoffice.  That worked.
OK for i586.
Len Lawrence 2016-03-03 09:53:55 CET

Whiteboard: has_procedure => has_procedure MGA5-32-OK

Comment 5 Len Lawrence 2016-03-03 10:03:55 CET 
mga5  x86_64  Mate

Updated graphite2 packages and confirmed that the fonts on the Graphite Font Demo page displayed properly.

Installed the toy font and used it in libreoffice.  It worked just as in the web browser.
Validating this.  Would someone please push this to Mageia 5 Updates?
Len Lawrence 2016-03-03 10:04:13 CET

Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK

Len Lawrence 2016-03-03 10:04:28 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Lewis Smith 2016-03-07 12:14:24 CET 
Advisory uploaded; but it needs CVEs.

CC: (none) => lewyssmith
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory

Comment 7 Mageia Robot 2016-03-07 12:21:06 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0097.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 9 David Walser 2016-03-09 14:24:16 CET 
RedHat Firefox advisory from today (March 9), which contains these:
https://rhn.redhat.com/errata/RHSA-2016-0373.html

Please update the following in SVN.

Advisory:
========================

Updated graphite2 packages fix security vulnerabilities:

Multiple security flaws were found in the graphite2 font library. A web page
or document containing malicious content could cause an application using
graphite2 to crash or, potentially, execute arbitrary code with the
privileges of the user running the application (CVE-2016-1977,
CVE-2016-2790, CVE-2016-2791, CVE-2016-2792, CVE-2016-2793, CVE-2016-2794,
CVE-2016-2795, CVE-2016-2796, CVE-2016-2797, CVE-2016-2798, CVE-2016-2799,
CVE-2016-2800, CVE-2016-2801, CVE-2016-2802).

The graphite2 package has been updated to version 1.3.6 which fixes
these security issues.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1977
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2790
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2791
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2792
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2793
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2794
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2795
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2796
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2797
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2798
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2799
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2800
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2801
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2802
https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/
https://github.com/silnrsi/graphite/releases/tag/1.3.6
https://lists.fedoraproject.org/pipermail/package-announce/2016-March/178192.html
https://rhn.redhat.com/errata/RHSA-2016-0373.html
Comment 10 claire robinson 2016-03-09 14:29:33 CET 
done