|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2016-1523: graphite2: An exploitable heap-based buffer overflow exists in the context itemhandling functionality of Libgr... | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Sebastian Krahmer <krahmer> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P4 - Low | CC: | krahmer, security-team, smash_bz, tchvatal |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/161684/ | ||
| Whiteboard: | CVSSv2:SUSE:CVE-2016-1526:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:NVD:CVE-2016-1523:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2016-1523:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:NVD:CVE-2016-1526:5.8:(AV:N/AC:M/Au:N/C:P/I:N/A:P) CVSSv2:NVD:CVE-2016-1522:9.3:(AV:N/AC:M/Au:N/C:C/I:C/A:C) CVSSv2:RedHat:CVE-2016-1521:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2016-1522:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2016-1526:5.8:(AV:N/AC:M/Au:N/C:P/I:N/A:P) CVSSv2:SUSE:CVE-2016-1521:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2016-1522:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2016-1523:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:NVD:CVE-2016-1521:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Sebastian Krahmer
2016-02-09 09:23:30 UTC
bugbot adjusting priority I assume this bug is connected to 'Heap Overflow' of http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html There are two commits in the ubuntu bug, second reverting the first one. Please, either provide testcase or confirm that the second commit fixes the issue. Thank you I think they need to be applied in order. Second commit says its reworking previous fix. Presumably they insufficiently fixed the issues with the first commit. Only parts are reverted in the second commit; but also adding additional checks. This is an autogenerated message for OBS integration: This bug (965807) was mentioned in https://build.opensuse.org/request/show/367416 13.2 / graphite2 Packages submitted. SUSE-SU-2016:0779-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 965803,965807,965810 CVE References: CVE-2016-1521,CVE-2016-1523,CVE-2016-1526 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): graphite2-1.3.1-6.1 SUSE Linux Enterprise Software Development Kit 12 (src): graphite2-1.3.1-6.1 SUSE Linux Enterprise Server 12-SP1 (src): graphite2-1.3.1-6.1 SUSE Linux Enterprise Server 12 (src): graphite2-1.3.1-6.1 SUSE Linux Enterprise Desktop 12-SP1 (src): graphite2-1.3.1-6.1 SUSE Linux Enterprise Desktop 12 (src): graphite2-1.3.1-6.1 openSUSE-SU-2016:0791-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 965803,965806,965807,965810 CVE References: CVE-2016-1521,CVE-2016-1522,CVE-2016-1523,CVE-2016-1526 Sources used: openSUSE 13.2 (src): graphite2-1.2.4-2.4.1 released openSUSE-SU-2016:0875-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 965803,965807,965810 CVE References: CVE-2016-1521,CVE-2016-1523,CVE-2016-1526 Sources used: openSUSE Leap 42.1 (src): graphite2-1.3.1-3.1 |