|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2016-1521: graphite2: An exploitable out-of-bounds read vulnerability exists in the opcodehandling functionality of Libgr... | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Sebastian Krahmer <krahmer> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P4 - Low | CC: | krahmer, security-team, smash_bz, tchvatal |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/161682/ | ||
| Whiteboard: | CVSSv2:SUSE:CVE-2016-1526:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:NVD:CVE-2016-1523:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2016-1523:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:NVD:CVE-2016-1526:5.8:(AV:N/AC:M/Au:N/C:P/I:N/A:P) CVSSv2:NVD:CVE-2016-1522:9.3:(AV:N/AC:M/Au:N/C:C/I:C/A:C) CVSSv2:RedHat:CVE-2016-1521:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2016-1522:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2016-1526:5.8:(AV:N/AC:M/Au:N/C:P/I:N/A:P) CVSSv2:SUSE:CVE-2016-1521:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2016-1522:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2016-1523:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:NVD:CVE-2016-1521:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Sebastian Krahmer
2016-02-09 09:20:23 UTC
bugbot adjusting priority I am afraid I will need more information. This bug appears to be connected to 'Out-of-Bounds Read' of http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html There are several commits in the ubuntu bug but I am not sure which is actually fixing the issue. Either provide relevant commit or at least testcase to check we have picked the correct one. Thank you From what it looks, three git commits need to be applied in order to fix TALOS-2016-0058 and TALOS-2016-0061, both of which are combined in above CVE. Also for everyone to be aware graphite2 is bundled in libreoffice on sle11. This is an autogenerated message for OBS integration: This bug (965803) was mentioned in https://build.opensuse.org/request/show/359654 Factory / graphite2 This is an autogenerated message for OBS integration: This bug (965803) was mentioned in https://build.opensuse.org/request/show/367416 13.2 / graphite2 Packages submitted. SUSE-SU-2016:0779-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 965803,965807,965810 CVE References: CVE-2016-1521,CVE-2016-1523,CVE-2016-1526 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): graphite2-1.3.1-6.1 SUSE Linux Enterprise Software Development Kit 12 (src): graphite2-1.3.1-6.1 SUSE Linux Enterprise Server 12-SP1 (src): graphite2-1.3.1-6.1 SUSE Linux Enterprise Server 12 (src): graphite2-1.3.1-6.1 SUSE Linux Enterprise Desktop 12-SP1 (src): graphite2-1.3.1-6.1 SUSE Linux Enterprise Desktop 12 (src): graphite2-1.3.1-6.1 openSUSE-SU-2016:0791-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 965803,965806,965807,965810 CVE References: CVE-2016-1521,CVE-2016-1522,CVE-2016-1523,CVE-2016-1526 Sources used: openSUSE 13.2 (src): graphite2-1.2.4-2.4.1 released openSUSE-SU-2016:0875-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 965803,965807,965810 CVE References: CVE-2016-1521,CVE-2016-1523,CVE-2016-1526 Sources used: openSUSE Leap 42.1 (src): graphite2-1.3.1-3.1 |