SUSE has issued an advisory on May 2: https://lists.opensuse.org/opensuse-security-announce/2017-05/msg00008.html Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Assigning to registered maintainer
CC: (none) => marja11Assignee: bugsquad => mageia
CVE: (none) => CVE-2017-5436
Fixed in cauldron
Whiteboard: MGA5TOO => (none)Version: Cauldron => 5
openSUSE has issued an advisory for this today (May 15): https://lists.opensuse.org/opensuse-updates/2017-05/msg00053.html
Debian has issued an advisory on June 22: https://www.debian.org/security/2017/dsa-3894 It brings eight new CVEs affecting both Mageia 5 and Cauldron.
Summary: graphite2 new security issue CVE-2017-5436 => graphite2 new security issue CVE-2017-5436 and CVE-2017-777[1-8]Whiteboard: (none) => MGA5TOOVersion: 5 => Cauldron
It appears that Debian updated Jessie to graphite2 1.3.10 to fix the latest set of issues. As we have that version in Cauldron already, I'll say that Cauldron isn't affected by these issues.
Updated package uploaded for Mageia 5. Advisory: ======================== Updated graphite2 packages fix security vulnerabilities: An out-of-bounds write triggered with a maliciously crafted Graphite font could lead to a crash or potentially code execution (CVE-2017-5436). Multiple vulnerabilities have been found in the Graphite font rendering engine which might result in denial of service or the execution of arbitrary code if a malformed font file is processed (CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776, CVE-2017-7777, CVE-2017-7778). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5436 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7771 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7772 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7773 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7774 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7775 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7776 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7777 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7778 https://lists.opensuse.org/opensuse-updates/2017-05/msg00053.html https://www.debian.org/security/2017/dsa-3894 ======================== Updated packages in core/updates_testing: ======================== graphite2-1.3.10-1.mga5 libgraphite2_3-1.3.10-1.mga5 libgraphite2-devel-1.3.10-1.mga5 from graphite2-1.3.10-1.mga5.src.rpm
Assignee: mageia => qa-bugs
mga5 x86-64 Mate No useful information on the CVE links. SuSE admits that it could not find a testcase for CVE-2017-5436. Checked the graphite font-demo page. The Padauk samples tallied but the Awami Nastaliq samples differed a bit in general appearance and details. Downloaded some graphite TTF files. drakfont to install the Graphite versions of Linux Libertine and Linux Biolinum fonts and tried them out in LibreOffice. The update packages installed smoothly. Reloaded firefox and used about:config to check graphite because the version number was in the range where graphite might not have been enabled - but it was. gfx.font_rendering.graphite.enabled default boolean true Visited the graphite font-demo page. Nothing had changed. Opened a document in LibreOffice and changed the font to Linux Libertine G, Linux Libertine Display G and then Linux Biolinum G. All three look good. Passing this for 64-bits.
CC: (none) => tarazed25Whiteboard: (none) => MGA5-64-OK
Advisory uploaded. Validating with just the 64-bit OK because Len's test was very thorough, and we have too many updates in hand.
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK => MGA5-64-OK advisoryCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0217.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED