Fedora has issued an advisory on March 1: https://lists.fedoraproject.org/pipermail/package-announce/2016-March/178192.html Updated packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated graphite2 packages fix security vulnerabilities: The graphite2 package has been updated to version 1.3.6 which fixes multiple unspecified security issues. References: https://github.com/silnrsi/graphite/releases/tag/1.3.6 https://lists.fedoraproject.org/pipermail/package-announce/2016-March/178192.html ======================== Updated packages in core/updates_testing: ======================== graphite2-1.3.6-1.mga5 libgraphite2_3-1.3.6-1.mga5 libgraphite2-devel-1.3.6-1.mga5 from graphite2-1.3.6-1.mga5.src.rpm
Test procedure: https://bugs.mageia.org/show_bug.cgi?id=17780#c6
Whiteboard: (none) => has_procedure
mga5 i586 virtualbox Mate Installed graphite2 and ran some checks then installed the update candidate and went back to the fontdemo page suggested in the link in comment #1. All fonts displayed correctly except Padauk (not installed). "The quick brown FOX jumps over the lazy DOG" displayed as THe QuiCK BRoWN FoX JuMPS oVeR THe LaZY DoG Downloaded and installed the Scheherazade and NeoAssyrian files and installed the TTF fonts. In the libreoffice menu these displayed in Roman characters - expected Arabic and cuneiform. Need to do some research.
CC: (none) => tarazed25
Had a quick look at the l18n/l10n wiki page and suspect that the rendering of the fonts has something to do with that (localization).
Installed the Simple Graphics Font and tested it using libreoffice. That worked. OK for i586.
Whiteboard: has_procedure => has_procedure MGA5-32-OK
mga5 x86_64 Mate Updated graphite2 packages and confirmed that the fonts on the Graphite Font Demo page displayed properly. Installed the toy font and used it in libreoffice. It worked just as in the web browser. Validating this. Would someone please push this to Mageia 5 Updates?
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded; but it needs CVEs.
CC: (none) => lewyssmithWhiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0097.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
We now have details and CVEs: https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/ I'll post a new advisory once I see RedHat's. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1977 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2790 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2791 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2792 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2793 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2794 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2795 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2796 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2797 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2798 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2799 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2800 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2801 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2802 https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/
RedHat Firefox advisory from today (March 9), which contains these: https://rhn.redhat.com/errata/RHSA-2016-0373.html Please update the following in SVN. Advisory: ======================== Updated graphite2 packages fix security vulnerabilities: Multiple security flaws were found in the graphite2 font library. A web page or document containing malicious content could cause an application using graphite2 to crash or, potentially, execute arbitrary code with the privileges of the user running the application (CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792, CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796, CVE-2016-2797, CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, CVE-2016-2801, CVE-2016-2802). The graphite2 package has been updated to version 1.3.6 which fixes these security issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1977 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2790 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2791 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2792 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2793 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2794 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2795 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2796 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2797 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2798 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2799 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2800 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2801 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2802 https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/ https://github.com/silnrsi/graphite/releases/tag/1.3.6 https://lists.fedoraproject.org/pipermail/package-announce/2016-March/178192.html https://rhn.redhat.com/errata/RHSA-2016-0373.html
done