Bug 965806 - (CVE-2016-1522) VUL-0: CVE-2016-1522: graphite2: An exploitable out-of-bounds access vulnerability exists in thebidirectional font handling function...
(CVE-2016-1522)
VUL-0: CVE-2016-1522: graphite2: An exploitable out-of-bounds access vulnerab...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/161683/
CVSSv2:SUSE:CVE-2016-1526:6.8:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-09 09:22 UTC by Sebastian Krahmer
Modified: 2016-06-02 14:24 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Swamp Workflow Management 2016-02-09 23:00:47 UTC
bugbot adjusting priority
Comment 2 Petr Gajdos 2016-02-15 13:27:06 UTC
This is connected to first part of 'Denial of Service' in 
http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html
?

At least 
https://github.com/silnrsi/graphite/commit/a94bbf1a651b13ecfaf9a774a841d36964c25929
seems, that yes. 

This and only this commit is relevant? There is another commit in the ubuntu bug, but I am not sure it is related to this bug.

More info welcome.

Thank you
Comment 3 Sebastian Krahmer 2016-02-15 13:39:50 UTC
To me, both commits seem to need to be applied.
What they name as "various fuzztest bugs" is IOW a crash
like all the other stuff that they are fixing.
Comment 5 Petr Gajdos 2016-03-07 09:01:30 UTC
1.3.1 in sle12 already contains the fix.
Comment 6 Bernhard Wiedemann 2016-03-07 11:00:16 UTC
This is an autogenerated message for OBS integration:
This bug (965806) was mentioned in
https://build.opensuse.org/request/show/367416 13.2 / graphite2
Comment 7 Petr Gajdos 2016-03-07 13:16:37 UTC
Packages submitted.
Comment 8 Swamp Workflow Management 2016-03-16 18:13:25 UTC
openSUSE-SU-2016:0791-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 965803,965806,965807,965810
CVE References: CVE-2016-1521,CVE-2016-1522,CVE-2016-1523,CVE-2016-1526
Sources used:
openSUSE 13.2 (src):    graphite2-1.2.4-2.4.1
Comment 9 Marcus Meissner 2016-03-18 14:18:13 UTC
released
Comment 10 Marcus Meissner 2016-06-02 14:24:05 UTC
For SLES 12 this bug was fixed with the update to graphite 1.3.1, where it was not seperately listed.