Bug 20778 - graphite2 new security issue CVE-2017-5436 and CVE-2017-777[1-8]
Summary: graphite2 new security issue CVE-2017-5436 and CVE-2017-777[1-8]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5-64-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-05-03 12:34 CEST by David Walser
Modified: 2017-07-26 00:08 CEST (History)
4 users (show)

See Also:
Source RPM: graphite2-1.3.6-1.mga5.src.rpm
CVE: CVE-2017-5436
Status comment:


Attachments

Description David Walser 2017-05-03 12:34:01 CEST
SUSE has issued an advisory on May 2:
https://lists.opensuse.org/opensuse-security-announce/2017-05/msg00008.html

Mageia 5 is also affected.
Comment 1 Marja van Waes 2017-05-03 12:39:28 CEST
Assigning to registered maintainer
Comment 2 Nicolas Lécureuil 2017-05-03 14:59:33 CEST
Fixed in cauldron
Comment 3 David Walser 2017-05-15 23:17:46 CEST
openSUSE has issued an advisory for this today (May 15):
https://lists.opensuse.org/opensuse-updates/2017-05/msg00053.html
Comment 4 David Walser 2017-06-24 00:35:37 CEST
Debian has issued an advisory on June 22:
https://www.debian.org/security/2017/dsa-3894

It brings eight new CVEs affecting both Mageia 5 and Cauldron.
Comment 5 David Walser 2017-06-24 19:08:58 CEST
It appears that Debian updated Jessie to graphite2 1.3.10 to fix the latest set of issues.  As we have that version in Cauldron already, I'll say that Cauldron isn't affected by these issues.
Comment 6 David Walser 2017-07-09 01:38:57 CEST
Updated package uploaded for Mageia 5.

Advisory:
========================

Updated graphite2 packages fix security vulnerabilities:

An out-of-bounds write triggered with a maliciously crafted Graphite font could
lead to a crash or potentially code execution (CVE-2017-5436).

Multiple vulnerabilities have been found in the Graphite font rendering engine
which might result in denial of service or the execution of arbitrary code if a
malformed font file is processed (CVE-2017-7771, CVE-2017-7772, CVE-2017-7773,
CVE-2017-7774, CVE-2017-7775, CVE-2017-7776, CVE-2017-7777, CVE-2017-7778).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5436
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7771
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7772
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7773
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7774
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7775
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7776
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7777
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7778
https://lists.opensuse.org/opensuse-updates/2017-05/msg00053.html
https://www.debian.org/security/2017/dsa-3894
========================

Updated packages in core/updates_testing:
========================
graphite2-1.3.10-1.mga5
libgraphite2_3-1.3.10-1.mga5
libgraphite2-devel-1.3.10-1.mga5

from graphite2-1.3.10-1.mga5.src.rpm
Comment 7 Len Lawrence 2017-07-24 21:12:18 CEST
mga5  x86-64  Mate

No useful information on the CVE links.  SuSE admits that it could not find a testcase for CVE-2017-5436.

Checked the graphite font-demo page.  The Padauk samples tallied but the Awami Nastaliq samples differed a bit in general appearance and details.
Downloaded some graphite TTF files.
drakfont to install the Graphite versions of Linux Libertine and Linux Biolinum fonts and tried them out in LibreOffice.  

The update packages installed smoothly.

Reloaded firefox and used about:config to check graphite because the version number was in the range where graphite might not have been enabled - but it was.
gfx.font_rendering.graphite.enabled   default  boolean  true

Visited the graphite font-demo page.  Nothing had changed.
Opened a document in LibreOffice and changed the font to Linux Libertine G, Linux Libertine Display G and then Linux Biolinum G.  All three look good.

Passing this for 64-bits.
Comment 8 Lewis Smith 2017-07-25 09:20:46 CEST
Advisory uploaded. Validating with just the 64-bit OK because Len's test was very thorough, and we have too many updates in hand.
Comment 9 Mageia Robot 2017-07-26 00:08:03 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0217.html

Note You need to log in before you can comment on or make changes to this bug.