A CVE has been assigned for an issue fixed in harfbuzz 1.0.6: http://openwall.com/lists/oss-security/2016/07/17/8 A CVE is still (possibly) pending for an issue fixed in 1.0.5 detailed therein. I have the patches backported to 0.9.36. I'm just waiting for the last CVE.
Assigning to maintainer
CC: (none) => marja11Assignee: bugsquad => tremyfr
CVE-2015-8947 assigned for the earlier issue: http://openwall.com/lists/oss-security/2016/07/19/2 Patched package uploaded for Mageia 5. Advisory: ======================== Updated harfbuzz packages fix security vulnerabilities: Two memory access issues, including a heap-based buffer overflow (CVE-2015-8947) and incorrect table length check (CVE-2016-2052) could lead to a denial of service when rendering a crafted OpenType font. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8947 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2052 http://openwall.com/lists/oss-security/2016/07/17/8 http://openwall.com/lists/oss-security/2016/07/19/2 ======================== Updated packages in core/updates_testing: ======================== harfbuzz-0.9.36-1.1.mga5 libharfbuzz0-0.9.36-1.1.mga5 libharfbuzz-devel-0.9.36-1.1.mga5 from harfbuzz-0.9.36-1.1.mga5.src.rpm
Assignee: tremyfr => qa-bugsSummary: harfbuzz new security issue CVE-2016-2052 => harfbuzz new security issues CVE-2015-8947 and CVE-2016-2052
mga5-32 Installed the following. ------------------- Rpmdrake or one of its priority dependencies needs to be updated first. Rpmdrake will then restart. The following 4 packages are going to be installed: - harfbuzz-0.9.36-1.1.mga5.i586 - libharfbuzz0-0.9.36-1.1.mga5.i586 - meta-task-5-28.1.mga5.noarch - urpmi-8.06.1-1.mga5.noarch --------------------- Read something about it breaking earlier versions of LibreOffice so tested LibreOffice Writer. Apparently works with some other tools like Firefox. That seems to be working fine. My evaluation - it is working as designed in mga5-32.
CC: (none) => brtians1
Whiteboard: (none) => mga5-32-ok
Firefox and Thunderbird are using a bundled harfbuzz, so your best bets to test this are chromium-browser-stable, gnome-font-viewer, libreoffice, or a webkit browser.
Fonts look fine in chromium, Mageia 5 i586.
okay - trying this in Konqueror Noted this: https://bugs.kde.org/show_bug.cgi?id=217472 I then follow the link to: https://en.wikipedia.org/wiki/Shabbat which does work with Konqueror (which is good). I then search on Hebrew Alphabet (seems to not crash there as well.).
Fonts look fine in chromium and LibreOffice on Mageia 5 x86_64.
Whiteboard: mga5-32-ok => MGA5-32-OK MGA5-64-OK
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0264.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/695557/