Bug 17866 - graphite2 new security issues fixed upstream in 1.3.6
Summary: graphite2 new security issues fixed upstream in 1.3.6
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/678388/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-03-02 19:59 CET by David Walser
Modified: 2016-03-09 14:29 CET (History)
3 users (show)

See Also:
Source RPM: graphite2-1.3.5-1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-03-02 19:59:48 CET
Fedora has issued an advisory on March 1:
https://lists.fedoraproject.org/pipermail/package-announce/2016-March/178192.html

Updated packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated graphite2 packages fix security vulnerabilities:

The graphite2 package has been updated to version 1.3.6 which fixes
multiple unspecified security issues.

References:
https://github.com/silnrsi/graphite/releases/tag/1.3.6
https://lists.fedoraproject.org/pipermail/package-announce/2016-March/178192.html
========================

Updated packages in core/updates_testing:
========================
graphite2-1.3.6-1.mga5
libgraphite2_3-1.3.6-1.mga5
libgraphite2-devel-1.3.6-1.mga5

from graphite2-1.3.6-1.mga5.src.rpm
Comment 1 David Walser 2016-03-02 20:00:12 CET
Test procedure:
https://bugs.mageia.org/show_bug.cgi?id=17780#c6

Whiteboard: (none) => has_procedure

Comment 2 Len Lawrence 2016-03-03 08:12:00 CET
mga5  i586 virtualbox  Mate

Installed graphite2 and ran some checks then installed the update candidate and went back to the fontdemo page suggested in the link in comment #1.
All fonts displayed correctly except Padauk (not installed).
"The quick brown FOX jumps over the lazy DOG" displayed as
THe QuiCK BRoWN FoX JuMPS oVeR THe LaZY DoG
Downloaded and installed the Scheherazade and NeoAssyrian files and installed the TTF fonts.  In the libreoffice menu these displayed in Roman characters - expected Arabic and cuneiform.

Need to do some research.

CC: (none) => tarazed25

Comment 3 Len Lawrence 2016-03-03 08:23:25 CET
Had a quick look at the l18n/l10n wiki page and suspect that the rendering of the fonts has something to do with that (localization).
Comment 4 Len Lawrence 2016-03-03 09:53:33 CET
Installed the Simple Graphics Font and tested it using libreoffice.  That worked.
OK for i586.
Len Lawrence 2016-03-03 09:53:55 CET

Whiteboard: has_procedure => has_procedure MGA5-32-OK

Comment 5 Len Lawrence 2016-03-03 10:03:55 CET
mga5  x86_64  Mate

Updated graphite2 packages and confirmed that the fonts on the Graphite Font Demo page displayed properly.

Installed the toy font and used it in libreoffice.  It worked just as in the web browser.
Validating this.  Would someone please push this to Mageia 5 Updates?
Len Lawrence 2016-03-03 10:04:13 CET

Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK

Len Lawrence 2016-03-03 10:04:28 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Lewis Smith 2016-03-07 12:14:24 CET
Advisory uploaded; but it needs CVEs.

CC: (none) => lewyssmith
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory

Comment 7 Mageia Robot 2016-03-07 12:21:06 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0097.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 9 David Walser 2016-03-09 14:24:16 CET
RedHat Firefox advisory from today (March 9), which contains these:
https://rhn.redhat.com/errata/RHSA-2016-0373.html

Please update the following in SVN.

Advisory:
========================

Updated graphite2 packages fix security vulnerabilities:

Multiple security flaws were found in the graphite2 font library. A web page
or document containing malicious content could cause an application using
graphite2 to crash or, potentially, execute arbitrary code with the
privileges of the user running the application (CVE-2016-1977,
CVE-2016-2790, CVE-2016-2791, CVE-2016-2792, CVE-2016-2793, CVE-2016-2794,
CVE-2016-2795, CVE-2016-2796, CVE-2016-2797, CVE-2016-2798, CVE-2016-2799,
CVE-2016-2800, CVE-2016-2801, CVE-2016-2802).

The graphite2 package has been updated to version 1.3.6 which fixes
these security issues.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1977
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2790
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2791
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2792
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2793
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2794
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2795
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2796
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2797
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2798
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2799
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2800
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2801
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2802
https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/
https://github.com/silnrsi/graphite/releases/tag/1.3.6
https://lists.fedoraproject.org/pipermail/package-announce/2016-March/178192.html
https://rhn.redhat.com/errata/RHSA-2016-0373.html
Comment 10 claire robinson 2016-03-09 14:29:33 CET
done

Note You need to log in before you can comment on or make changes to this bug.