| Summary: | harfbuzz new security issues CVE-2015-8947 and CVE-2016-2052 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | brtians1, davidwhodgins, marja11, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/695557/ | ||
| Whiteboard: | MGA5-32-OK MGA5-64-OK advisory | ||
| Source RPM: | harfbuzz-0.9.36-1.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2016-07-17 22:44:20 CEST
Assigning to maintainer CC:
(none) =>
marja11 CVE-2015-8947 assigned for the earlier issue: http://openwall.com/lists/oss-security/2016/07/19/2 Patched package uploaded for Mageia 5. Advisory: ======================== Updated harfbuzz packages fix security vulnerabilities: Two memory access issues, including a heap-based buffer overflow (CVE-2015-8947) and incorrect table length check (CVE-2016-2052) could lead to a denial of service when rendering a crafted OpenType font. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8947 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2052 http://openwall.com/lists/oss-security/2016/07/17/8 http://openwall.com/lists/oss-security/2016/07/19/2 ======================== Updated packages in core/updates_testing: ======================== harfbuzz-0.9.36-1.1.mga5 libharfbuzz0-0.9.36-1.1.mga5 libharfbuzz-devel-0.9.36-1.1.mga5 from harfbuzz-0.9.36-1.1.mga5.src.rpm Assignee:
tremyfr =>
qa-bugs mga5-32 Installed the following. ------------------- Rpmdrake or one of its priority dependencies needs to be updated first. Rpmdrake will then restart. The following 4 packages are going to be installed: - harfbuzz-0.9.36-1.1.mga5.i586 - libharfbuzz0-0.9.36-1.1.mga5.i586 - meta-task-5-28.1.mga5.noarch - urpmi-8.06.1-1.mga5.noarch --------------------- Read something about it breaking earlier versions of LibreOffice so tested LibreOffice Writer. Apparently works with some other tools like Firefox. That seems to be working fine. My evaluation - it is working as designed in mga5-32. CC:
(none) =>
brtians1
Brian Rockwell
2016-07-23 19:04:28 CEST
Whiteboard:
(none) =>
mga5-32-ok Firefox and Thunderbird are using a bundled harfbuzz, so your best bets to test this are chromium-browser-stable, gnome-font-viewer, libreoffice, or a webkit browser. Fonts look fine in chromium, Mageia 5 i586. okay - trying this in Konqueror Noted this: https://bugs.kde.org/show_bug.cgi?id=217472 I then follow the link to: https://en.wikipedia.org/wiki/Shabbat which does work with Konqueror (which is good). I then search on Hebrew Alphabet (seems to not crash there as well.). Fonts look fine in chromium and LibreOffice on Mageia 5 x86_64. Whiteboard:
mga5-32-ok =>
MGA5-32-OK MGA5-64-OK
Dave Hodgins
2016-07-26 23:23:19 CEST
Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0264.html Status:
NEW =>
RESOLVED
David Walser
2016-07-27 18:50:16 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/695557/ |