TALOS has issued an advisory on February 5: http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html This primarily impacts Firefox, and Mozilla issued an advisory for this on February 11: https://www.mozilla.org/en-US/security/advisories/mfsa2016-14/ It only mentions CVE-2016-1523 for some reason. Debian has issued an advisory for this on February 14: https://www.debian.org/security/2016/dsa-3477 For some reason, our Firefox package is not using the system graphite2 library, so it will need to either be rebuilt against it, and/or updated to 38.6.1. Reproducible: Steps to Reproduce:
As for graphite2, it can be updated to 1.3.5 like Cauldron, as it should be binary compatible.
CC: (none) => doktor5000, thierry.vignaud
I've checked graphite2 1.3.5 and firefox 38.6.1 into Mageia 5 SVN, but need some feedback from Thierry and/or Florian about should we build it against system graphite2 (I'd think so) and if so, how to do that. Cauldron's Firefox is also not using the system library.
(In reply to David Walser from comment #2) > I've checked graphite2 1.3.5 and firefox 38.6.1 into Mageia 5 SVN, but need > some feedback from Thierry and/or Florian about should we build it against > system graphite2 (I'd think so) and if so, how to do that. Cauldron's > Firefox is also not using the system library. Not really sure about that, reading e.g. http://www.linuxfromscratch.org/blfs/view/svn/general/graphite2.html > Note that firefox provides an internal copy of the graphite engine and _cannot_ > use a system version, but it too should benefit from the availability of graphite > fonts. Seems upstream is still working on allowing to build against system graphite/harfbuzz: https://bugzilla.mozilla.org/show_bug.cgi?id=847568
Ugh, upstream really needs to fix that :o( They're making a lot more work for us here. I could swear FF used to use the system harfbuzz too. Thanks for the research, I'll have to push both updates then.
Updated packages uploaded for Mageia 5. You can use chromium-browser-stable to test graphite2. Advisory: ======================== Updated graphite2 and firefox packages fix security vulnerabilities: Multiple vulnerabilities in the graphite2 font library can result in information disclosure, denial-of-service (application crashes), or code execution via out-of-bounds reads, a NULL pointer dereference, and a heap-based buffer overflow (CVE-2016-1521, CVE-2016-1522, CVE-2016-1523, CVE-2016-1526). Firefox includes a bundled copy of the graphite2 library, which has been updated in Firefox ESR 38.6.1. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1521 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1522 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1523 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1526 http://www.talosintel.com/reports/TALOS-2016-0057/ http://www.talosintel.com/reports/TALOS-2016-0058/ http://www.talosintel.com/reports/TALOS-2016-0059/ http://www.talosintel.com/reports/TALOS-2016-0060/ http://www.talosintel.com/reports/TALOS-2016-0061/ http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html https://www.mozilla.org/en-US/security/advisories/mfsa2016-14/ https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ https://www.debian.org/security/2016/dsa-3477 ======================== Updated packages in core/updates_testing: ======================== graphite2-1.3.5-1.mga5 libgraphite2_3-1.3.5-1.mga5 libgraphite2-devel-1.3.5-1.mga5 firefox-38.6.1-1.mga5 firefox-devel-38.6.1-1.mga5 firefox-af-38.6.1-1.mga5 firefox-an-38.6.1-1.mga5 firefox-ar-38.6.1-1.mga5 firefox-as-38.6.1-1.mga5 firefox-ast-38.6.1-1.mga5 firefox-az-38.6.1-1.mga5 firefox-be-38.6.1-1.mga5 firefox-bg-38.6.1-1.mga5 firefox-bn_IN-38.6.1-1.mga5 firefox-bn_BD-38.6.1-1.mga5 firefox-br-38.6.1-1.mga5 firefox-bs-38.6.1-1.mga5 firefox-ca-38.6.1-1.mga5 firefox-cs-38.6.1-1.mga5 firefox-cy-38.6.1-1.mga5 firefox-da-38.6.1-1.mga5 firefox-de-38.6.1-1.mga5 firefox-el-38.6.1-1.mga5 firefox-en_GB-38.6.1-1.mga5 firefox-en_US-38.6.1-1.mga5 firefox-en_ZA-38.6.1-1.mga5 firefox-eo-38.6.1-1.mga5 firefox-es_AR-38.6.1-1.mga5 firefox-es_CL-38.6.1-1.mga5 firefox-es_ES-38.6.1-1.mga5 firefox-es_MX-38.6.1-1.mga5 firefox-et-38.6.1-1.mga5 firefox-eu-38.6.1-1.mga5 firefox-fa-38.6.1-1.mga5 firefox-ff-38.6.1-1.mga5 firefox-fi-38.6.1-1.mga5 firefox-fr-38.6.1-1.mga5 firefox-fy_NL-38.6.1-1.mga5 firefox-ga_IE-38.6.1-1.mga5 firefox-gd-38.6.1-1.mga5 firefox-gl-38.6.1-1.mga5 firefox-gu_IN-38.6.1-1.mga5 firefox-he-38.6.1-1.mga5 firefox-hi_IN-38.6.1-1.mga5 firefox-hr-38.6.1-1.mga5 firefox-hsb-38.6.1-1.mga5 firefox-hu-38.6.1-1.mga5 firefox-hy_AM-38.6.1-1.mga5 firefox-id-38.6.1-1.mga5 firefox-is-38.6.1-1.mga5 firefox-it-38.6.1-1.mga5 firefox-ja-38.6.1-1.mga5 firefox-kk-38.6.1-1.mga5 firefox-km-38.6.1-1.mga5 firefox-kn-38.6.1-1.mga5 firefox-ko-38.6.1-1.mga5 firefox-lij-38.6.1-1.mga5 firefox-lt-38.6.1-1.mga5 firefox-lv-38.6.1-1.mga5 firefox-mai-38.6.1-1.mga5 firefox-mk-38.6.1-1.mga5 firefox-ml-38.6.1-1.mga5 firefox-mr-38.6.1-1.mga5 firefox-ms-38.6.1-1.mga5 firefox-nb_NO-38.6.1-1.mga5 firefox-nl-38.6.1-1.mga5 firefox-nn_NO-38.6.1-1.mga5 firefox-or-38.6.1-1.mga5 firefox-pa_IN-38.6.1-1.mga5 firefox-pl-38.6.1-1.mga5 firefox-pt_BR-38.6.1-1.mga5 firefox-pt_PT-38.6.1-1.mga5 firefox-ro-38.6.1-1.mga5 firefox-ru-38.6.1-1.mga5 firefox-si-38.6.1-1.mga5 firefox-sk-38.6.1-1.mga5 firefox-sl-38.6.1-1.mga5 firefox-sq-38.6.1-1.mga5 firefox-sr-38.6.1-1.mga5 firefox-sv_SE-38.6.1-1.mga5 firefox-ta-38.6.1-1.mga5 firefox-te-38.6.1-1.mga5 firefox-th-38.6.1-1.mga5 firefox-tr-38.6.1-1.mga5 firefox-uk-38.6.1-1.mga5 firefox-uz-38.6.1-1.mga5 firefox-vi-38.6.1-1.mga5 firefox-xh-38.6.1-1.mga5 firefox-zh_CN-38.6.1-1.mga5 firefox-zh_TW-38.6.1-1.mga5 from SRPMS: graphite2-1.3.5-1.mga5.src.rpm firefox-38.6.1-1.mga5.src.rpm firefox-l10n-38.6.1-1.mga5.src.rpm
Assignee: bugsquad => qa-bugsSummary: graphite2 new security issues CVE-2016-152[1236] => graphite2 (and firefox) new security issues CVE-2016-152[1236]Source RPM: graphite2-1.2.4-3.mga5.src.rpm => graphite2-1.2.4-3.mga5.src.rpm, firefox
Confirmed working for Firefox with the graphite2 test page: http://scripts.sil.org/cms/scripts/page.php?site_id=projects&item_id=graphite_fontdemo The first, simple, demo doesn't work in Chromium, but that's a known issue: https://code.google.com/p/chromium/issues/detail?id=140007 The later ones work. OK'ing this for Mageia 5 i586.
Whiteboard: (none) => has_procedure MGA5-32-OK
Replacing DSA with RedHat advisory reference. Advisory: ======================== Updated graphite2 and firefox packages fix security vulnerabilities: Multiple vulnerabilities in the graphite2 font library can result in information disclosure, denial-of-service (application crashes), or code execution via out-of-bounds reads, a NULL pointer dereference, and a heap-based buffer overflow (CVE-2016-1521, CVE-2016-1522, CVE-2016-1523, CVE-2016-1526). Firefox includes a bundled copy of the graphite2 library, which has been updated in Firefox ESR 38.6.1. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1521 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1522 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1523 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1526 http://www.talosintel.com/reports/TALOS-2016-0057/ http://www.talosintel.com/reports/TALOS-2016-0058/ http://www.talosintel.com/reports/TALOS-2016-0059/ http://www.talosintel.com/reports/TALOS-2016-0060/ http://www.talosintel.com/reports/TALOS-2016-0061/ http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html https://www.mozilla.org/en-US/security/advisories/mfsa2016-14/ https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ https://rhn.redhat.com/errata/RHSA-2016-0197.html
Adding DSA for graphite2. Advisory: ======================== Updated graphite2 and firefox packages fix security vulnerabilities: Multiple vulnerabilities in the graphite2 font library can result in information disclosure, denial-of-service (application crashes), or code execution via out-of-bounds reads, a NULL pointer dereference, and a heap-based buffer overflow (CVE-2016-1521, CVE-2016-1522, CVE-2016-1523, CVE-2016-1526). Firefox includes a bundled copy of the graphite2 library, which has been updated in Firefox ESR 38.6.1. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1521 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1522 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1523 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1526 http://www.talosintel.com/reports/TALOS-2016-0057/ http://www.talosintel.com/reports/TALOS-2016-0058/ http://www.talosintel.com/reports/TALOS-2016-0059/ http://www.talosintel.com/reports/TALOS-2016-0060/ http://www.talosintel.com/reports/TALOS-2016-0061/ http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html https://www.mozilla.org/en-US/security/advisories/mfsa2016-14/ https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ https://rhn.redhat.com/errata/RHSA-2016-0197.html https://www.debian.org/security/2016/dsa-3479
LWN reference for CVE-2016-1521 and CVE-2016-1522: http://lwn.net/Vulnerabilities/675823/
Testing complete mga5 64 Firefox & l10n OK. To test graphite2 in firefox see.. http://scripts.sil.org/cms/scripts/page.php?site_id=projects&item_id=graphite_fontdemo Can be used, as David said, with chromium-browser-stable to test the lib. Can also test using any of these fonts in libreoffice http://scripts.sil.org/cms/scripts/page.php?site_id=projects&item_id=graphite_fonts#f6ce866a $ urpmq --whatrequires lib64graphite2_3 graphite2 lib64graphite2_3 lib64harfbuzz0 libreoffice-core libreoffice-core libreoffice-core # urpmq --whatrequires lib64harfbuzz0 chromium-browser-stable
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK mga5-64-ok
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK mga5-64-ok => has_procedure MGA5-32-OK mga5-64-ok advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0077.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
LWN reference for CVE-2016-1526: http://lwn.net/Vulnerabilities/676106/