Bug 965806 - (CVE-2016-1522) VUL-0: CVE-2016-1522: graphite2: An exploitable out-of-bounds access vulnerability exists in thebidirectional font handling function...
VUL-0: CVE-2016-1522: graphite2: An exploitable out-of-bounds access vulnerab...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2016-02-09 09:22 UTC by Sebastian Krahmer
Modified: 2016-06-02 14:24 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Swamp Workflow Management 2016-02-09 23:00:47 UTC
bugbot adjusting priority
Comment 2 Petr Gajdos 2016-02-15 13:27:06 UTC
This is connected to first part of 'Denial of Service' in 

At least 
seems, that yes. 

This and only this commit is relevant? There is another commit in the ubuntu bug, but I am not sure it is related to this bug.

More info welcome.

Thank you
Comment 3 Sebastian Krahmer 2016-02-15 13:39:50 UTC
To me, both commits seem to need to be applied.
What they name as "various fuzztest bugs" is IOW a crash
like all the other stuff that they are fixing.
Comment 5 Petr Gajdos 2016-03-07 09:01:30 UTC
1.3.1 in sle12 already contains the fix.
Comment 6 Bernhard Wiedemann 2016-03-07 11:00:16 UTC
This is an autogenerated message for OBS integration:
This bug (965806) was mentioned in
https://build.opensuse.org/request/show/367416 13.2 / graphite2
Comment 7 Petr Gajdos 2016-03-07 13:16:37 UTC
Packages submitted.
Comment 8 Swamp Workflow Management 2016-03-16 18:13:25 UTC
openSUSE-SU-2016:0791-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 965803,965806,965807,965810
CVE References: CVE-2016-1521,CVE-2016-1522,CVE-2016-1523,CVE-2016-1526
Sources used:
openSUSE 13.2 (src):    graphite2-1.2.4-2.4.1
Comment 9 Marcus Meissner 2016-03-18 14:18:13 UTC
Comment 10 Marcus Meissner 2016-06-02 14:24:05 UTC
For SLES 12 this bug was fixed with the update to graphite 1.3.1, where it was not seperately listed.