Bug 17780 - graphite2 (and firefox) new security issues CVE-2016-152[1236]
Summary: graphite2 (and firefox) new security issues CVE-2016-152[1236]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/675698/
Whiteboard: has_procedure MGA5-32-OK mga5-64-ok a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-02-15 19:22 CET by David Walser
Modified: 2016-02-17 20:47 CET (History)
4 users (show)

See Also:
Source RPM: graphite2-1.2.4-3.mga5.src.rpm, firefox
CVE:
Status comment:


Attachments

Description David Walser 2016-02-15 19:22:12 CET
TALOS has issued an advisory on February 5:
http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html

This primarily impacts Firefox, and Mozilla issued an advisory for this on February 11:
https://www.mozilla.org/en-US/security/advisories/mfsa2016-14/

It only mentions CVE-2016-1523 for some reason.

Debian has issued an advisory for this on February 14:
https://www.debian.org/security/2016/dsa-3477

For some reason, our Firefox package is not using the system graphite2 library, so it will need to either be rebuilt against it, and/or updated to 38.6.1.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2016-02-15 19:22:45 CET
As for graphite2, it can be updated to 1.3.5 like Cauldron, as it should be binary compatible.

CC: (none) => doktor5000, thierry.vignaud

Comment 2 David Walser 2016-02-15 19:47:10 CET
I've checked graphite2 1.3.5 and firefox 38.6.1 into Mageia 5 SVN, but need some feedback from Thierry and/or Florian about should we build it against system graphite2 (I'd think so) and if so, how to do that.  Cauldron's Firefox is also not using the system library.
Comment 3 Florian Hubold 2016-02-15 22:02:35 CET
(In reply to David Walser from comment #2)
> I've checked graphite2 1.3.5 and firefox 38.6.1 into Mageia 5 SVN, but need
> some feedback from Thierry and/or Florian about should we build it against
> system graphite2 (I'd think so) and if so, how to do that.  Cauldron's
> Firefox is also not using the system library.

Not really sure about that, reading e.g.
http://www.linuxfromscratch.org/blfs/view/svn/general/graphite2.html
> Note that firefox provides an internal copy of the graphite engine and _cannot_
> use a system version, but it too should benefit from the availability of graphite
> fonts.

Seems upstream is still working on allowing to build against system graphite/harfbuzz: https://bugzilla.mozilla.org/show_bug.cgi?id=847568
Comment 4 David Walser 2016-02-15 22:37:49 CET
Ugh, upstream really needs to fix that :o(  They're making a lot more work for us here.  I could swear FF used to use the system harfbuzz too.

Thanks for the research, I'll have to push both updates then.
Comment 5 David Walser 2016-02-15 23:04:48 CET
Updated packages uploaded for Mageia 5.

You can use chromium-browser-stable to test graphite2.

Advisory:
========================

Updated graphite2 and firefox packages fix security vulnerabilities:

Multiple vulnerabilities in the graphite2 font library can result in
information disclosure, denial-of-service (application crashes), or code
execution via out-of-bounds reads, a NULL pointer dereference, and a
heap-based buffer overflow (CVE-2016-1521, CVE-2016-1522, CVE-2016-1523,
CVE-2016-1526).

Firefox includes a bundled copy of the graphite2 library, which has been
updated in Firefox ESR 38.6.1.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1521
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1522
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1523
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1526
http://www.talosintel.com/reports/TALOS-2016-0057/
http://www.talosintel.com/reports/TALOS-2016-0058/
http://www.talosintel.com/reports/TALOS-2016-0059/
http://www.talosintel.com/reports/TALOS-2016-0060/
http://www.talosintel.com/reports/TALOS-2016-0061/
http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html
https://www.mozilla.org/en-US/security/advisories/mfsa2016-14/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
https://www.debian.org/security/2016/dsa-3477
========================

Updated packages in core/updates_testing:
========================
graphite2-1.3.5-1.mga5
libgraphite2_3-1.3.5-1.mga5
libgraphite2-devel-1.3.5-1.mga5
firefox-38.6.1-1.mga5
firefox-devel-38.6.1-1.mga5
firefox-af-38.6.1-1.mga5
firefox-an-38.6.1-1.mga5
firefox-ar-38.6.1-1.mga5
firefox-as-38.6.1-1.mga5
firefox-ast-38.6.1-1.mga5
firefox-az-38.6.1-1.mga5
firefox-be-38.6.1-1.mga5
firefox-bg-38.6.1-1.mga5
firefox-bn_IN-38.6.1-1.mga5
firefox-bn_BD-38.6.1-1.mga5
firefox-br-38.6.1-1.mga5
firefox-bs-38.6.1-1.mga5
firefox-ca-38.6.1-1.mga5
firefox-cs-38.6.1-1.mga5
firefox-cy-38.6.1-1.mga5
firefox-da-38.6.1-1.mga5
firefox-de-38.6.1-1.mga5
firefox-el-38.6.1-1.mga5
firefox-en_GB-38.6.1-1.mga5
firefox-en_US-38.6.1-1.mga5
firefox-en_ZA-38.6.1-1.mga5
firefox-eo-38.6.1-1.mga5
firefox-es_AR-38.6.1-1.mga5
firefox-es_CL-38.6.1-1.mga5
firefox-es_ES-38.6.1-1.mga5
firefox-es_MX-38.6.1-1.mga5
firefox-et-38.6.1-1.mga5
firefox-eu-38.6.1-1.mga5
firefox-fa-38.6.1-1.mga5
firefox-ff-38.6.1-1.mga5
firefox-fi-38.6.1-1.mga5
firefox-fr-38.6.1-1.mga5
firefox-fy_NL-38.6.1-1.mga5
firefox-ga_IE-38.6.1-1.mga5
firefox-gd-38.6.1-1.mga5
firefox-gl-38.6.1-1.mga5
firefox-gu_IN-38.6.1-1.mga5
firefox-he-38.6.1-1.mga5
firefox-hi_IN-38.6.1-1.mga5
firefox-hr-38.6.1-1.mga5
firefox-hsb-38.6.1-1.mga5
firefox-hu-38.6.1-1.mga5
firefox-hy_AM-38.6.1-1.mga5
firefox-id-38.6.1-1.mga5
firefox-is-38.6.1-1.mga5
firefox-it-38.6.1-1.mga5
firefox-ja-38.6.1-1.mga5
firefox-kk-38.6.1-1.mga5
firefox-km-38.6.1-1.mga5
firefox-kn-38.6.1-1.mga5
firefox-ko-38.6.1-1.mga5
firefox-lij-38.6.1-1.mga5
firefox-lt-38.6.1-1.mga5
firefox-lv-38.6.1-1.mga5
firefox-mai-38.6.1-1.mga5
firefox-mk-38.6.1-1.mga5
firefox-ml-38.6.1-1.mga5
firefox-mr-38.6.1-1.mga5
firefox-ms-38.6.1-1.mga5
firefox-nb_NO-38.6.1-1.mga5
firefox-nl-38.6.1-1.mga5
firefox-nn_NO-38.6.1-1.mga5
firefox-or-38.6.1-1.mga5
firefox-pa_IN-38.6.1-1.mga5
firefox-pl-38.6.1-1.mga5
firefox-pt_BR-38.6.1-1.mga5
firefox-pt_PT-38.6.1-1.mga5
firefox-ro-38.6.1-1.mga5
firefox-ru-38.6.1-1.mga5
firefox-si-38.6.1-1.mga5
firefox-sk-38.6.1-1.mga5
firefox-sl-38.6.1-1.mga5
firefox-sq-38.6.1-1.mga5
firefox-sr-38.6.1-1.mga5
firefox-sv_SE-38.6.1-1.mga5
firefox-ta-38.6.1-1.mga5
firefox-te-38.6.1-1.mga5
firefox-th-38.6.1-1.mga5
firefox-tr-38.6.1-1.mga5
firefox-uk-38.6.1-1.mga5
firefox-uz-38.6.1-1.mga5
firefox-vi-38.6.1-1.mga5
firefox-xh-38.6.1-1.mga5
firefox-zh_CN-38.6.1-1.mga5
firefox-zh_TW-38.6.1-1.mga5

from SRPMS:
graphite2-1.3.5-1.mga5.src.rpm
firefox-38.6.1-1.mga5.src.rpm
firefox-l10n-38.6.1-1.mga5.src.rpm

Assignee: bugsquad => qa-bugs
Summary: graphite2 new security issues CVE-2016-152[1236] => graphite2 (and firefox) new security issues CVE-2016-152[1236]
Source RPM: graphite2-1.2.4-3.mga5.src.rpm => graphite2-1.2.4-3.mga5.src.rpm, firefox

Comment 6 David Walser 2016-02-16 01:09:50 CET
Confirmed working for Firefox with the graphite2 test page:
http://scripts.sil.org/cms/scripts/page.php?site_id=projects&item_id=graphite_fontdemo

The first, simple, demo doesn't work in Chromium, but that's a known issue:
https://code.google.com/p/chromium/issues/detail?id=140007

The later ones work.  OK'ing this for Mageia 5 i586.

Whiteboard: (none) => has_procedure MGA5-32-OK

Comment 7 David Walser 2016-02-16 17:11:06 CET
Replacing DSA with RedHat advisory reference.

Advisory:
========================

Updated graphite2 and firefox packages fix security vulnerabilities:

Multiple vulnerabilities in the graphite2 font library can result in
information disclosure, denial-of-service (application crashes), or code
execution via out-of-bounds reads, a NULL pointer dereference, and a
heap-based buffer overflow (CVE-2016-1521, CVE-2016-1522, CVE-2016-1523,
CVE-2016-1526).

Firefox includes a bundled copy of the graphite2 library, which has been
updated in Firefox ESR 38.6.1.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1521
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1522
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1523
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1526
http://www.talosintel.com/reports/TALOS-2016-0057/
http://www.talosintel.com/reports/TALOS-2016-0058/
http://www.talosintel.com/reports/TALOS-2016-0059/
http://www.talosintel.com/reports/TALOS-2016-0060/
http://www.talosintel.com/reports/TALOS-2016-0061/
http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html
https://www.mozilla.org/en-US/security/advisories/mfsa2016-14/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
https://rhn.redhat.com/errata/RHSA-2016-0197.html
Comment 8 David Walser 2016-02-16 17:23:51 CET
Adding DSA for graphite2.

Advisory:
========================

Updated graphite2 and firefox packages fix security vulnerabilities:

Multiple vulnerabilities in the graphite2 font library can result in
information disclosure, denial-of-service (application crashes), or code
execution via out-of-bounds reads, a NULL pointer dereference, and a
heap-based buffer overflow (CVE-2016-1521, CVE-2016-1522, CVE-2016-1523,
CVE-2016-1526).

Firefox includes a bundled copy of the graphite2 library, which has been
updated in Firefox ESR 38.6.1.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1521
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1522
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1523
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1526
http://www.talosintel.com/reports/TALOS-2016-0057/
http://www.talosintel.com/reports/TALOS-2016-0058/
http://www.talosintel.com/reports/TALOS-2016-0059/
http://www.talosintel.com/reports/TALOS-2016-0060/
http://www.talosintel.com/reports/TALOS-2016-0061/
http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html
https://www.mozilla.org/en-US/security/advisories/mfsa2016-14/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
https://rhn.redhat.com/errata/RHSA-2016-0197.html
https://www.debian.org/security/2016/dsa-3479
Comment 9 David Walser 2016-02-16 20:26:28 CET
LWN reference for CVE-2016-1521 and CVE-2016-1522:
http://lwn.net/Vulnerabilities/675823/
Comment 10 claire robinson 2016-02-17 12:04:58 CET
Testing complete mga5 64

Firefox & l10n OK.

To test graphite2 in firefox see..
http://scripts.sil.org/cms/scripts/page.php?site_id=projects&item_id=graphite_fontdemo

Can be used, as David said, with chromium-browser-stable to test the lib.

Can also test using any of these fonts in libreoffice
http://scripts.sil.org/cms/scripts/page.php?site_id=projects&item_id=graphite_fonts#f6ce866a

$ urpmq --whatrequires lib64graphite2_3 
graphite2
lib64graphite2_3
lib64harfbuzz0
libreoffice-core
libreoffice-core
libreoffice-core

# urpmq --whatrequires lib64harfbuzz0
chromium-browser-stable

Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK mga5-64-ok

Dave Hodgins 2016-02-17 17:26:18 CET

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK mga5-64-ok => has_procedure MGA5-32-OK mga5-64-ok advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 11 Mageia Robot 2016-02-17 20:23:04 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0077.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 12 David Walser 2016-02-17 20:47:12 CET
LWN reference for CVE-2016-1526:
http://lwn.net/Vulnerabilities/676106/

Note You need to log in before you can comment on or make changes to this bug.