SUSE has issued an advisory on May 2:
Mageia 5 is also affected.
Assigning to registered maintainer
Fixed in cauldron
openSUSE has issued an advisory for this today (May 15):
Debian has issued an advisory on June 22:
It brings eight new CVEs affecting both Mageia 5 and Cauldron.
graphite2 new security issue CVE-2017-5436 =>
graphite2 new security issue CVE-2017-5436 and CVE-2017-777[1-8]Version:
It appears that Debian updated Jessie to graphite2 1.3.10 to fix the latest set of issues. As we have that version in Cauldron already, I'll say that Cauldron isn't affected by these issues.
Updated package uploaded for Mageia 5.
Updated graphite2 packages fix security vulnerabilities:
An out-of-bounds write triggered with a maliciously crafted Graphite font could
lead to a crash or potentially code execution (CVE-2017-5436).
Multiple vulnerabilities have been found in the Graphite font rendering engine
which might result in denial of service or the execution of arbitrary code if a
malformed font file is processed (CVE-2017-7771, CVE-2017-7772, CVE-2017-7773,
CVE-2017-7774, CVE-2017-7775, CVE-2017-7776, CVE-2017-7777, CVE-2017-7778).
Updated packages in core/updates_testing:
mga5 x86-64 Mate
No useful information on the CVE links. SuSE admits that it could not find a testcase for CVE-2017-5436.
Checked the graphite font-demo page. The Padauk samples tallied but the Awami Nastaliq samples differed a bit in general appearance and details.
Downloaded some graphite TTF files.
drakfont to install the Graphite versions of Linux Libertine and Linux Biolinum fonts and tried them out in LibreOffice.
The update packages installed smoothly.
Reloaded firefox and used about:config to check graphite because the version number was in the range where graphite might not have been enabled - but it was.
gfx.font_rendering.graphite.enabled default boolean true
Visited the graphite font-demo page. Nothing had changed.
Opened a document in LibreOffice and changed the font to Linux Libertine G, Linux Libertine Display G and then Linux Biolinum G. All three look good.
Passing this for 64-bits.
Advisory uploaded. Validating with just the 64-bit OK because Len's test was very thorough, and we have too many updates in hand.
An update for this issue has been pushed to the Mageia Updates repository.