Updated graphite2/firefox packages fix security vulnerability
Publication date: 17 Feb 2016Modification date: 17 Feb 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-1521 , CVE-2016-1522 , CVE-2016-1523 , CVE-2016-1526
Description
Multiple vulnerabilities in the graphite2 font library can result in
information disclosure, denial-of-service (application crashes), or code
execution via out-of-bounds reads, a NULL pointer dereference, and a
heap-based buffer overflow (CVE-2016-1521, CVE-2016-1522, CVE-2016-1523,
CVE-2016-1526).
Firefox includes a bundled copy of the graphite2 library, which has been
updated in Firefox ESR 38.6.1.
References
- https://bugs.mageia.org/show_bug.cgi?id=17780
- http://www.talosintel.com/reports/TALOS-2016-0057/
- http://www.talosintel.com/reports/TALOS-2016-0058/
- http://www.talosintel.com/reports/TALOS-2016-0059/
- http://www.talosintel.com/reports/TALOS-2016-0060/
- http://www.talosintel.com/reports/TALOS-2016-0061/
- http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html
- https://www.mozilla.org/en-US/security/advisories/mfsa2016-14/
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
- https://www.debian.org/security/2016/dsa-3477
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1521
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1522
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1523
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1526
SRPMS
5/core
- firefox-38.6.1-1.mga5
- firefox-l10n-38.6.1-1.mga5
- graphite2-1.3.5-1.mga5