Bug 965807 - (CVE-2016-1523) VUL-0: CVE-2016-1523: graphite2: An exploitable heap-based buffer overflow exists in the context itemhandling functionality of Libgr...
(CVE-2016-1523)
VUL-0: CVE-2016-1523: graphite2: An exploitable heap-based buffer overflow ex...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/161684/
CVSSv2:SUSE:CVE-2016-1526:6.8:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-09 09:23 UTC by Sebastian Krahmer
Modified: 2016-04-27 20:23 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Swamp Workflow Management 2016-02-09 23:00:56 UTC
bugbot adjusting priority
Comment 2 Petr Gajdos 2016-02-15 12:41:47 UTC
I assume this bug is connected to 'Heap Overflow' of
http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html

There are two commits in the ubuntu bug, second reverting the first one. Please, either provide testcase or confirm that the second commit fixes the issue.

Thank you
Comment 3 Sebastian Krahmer 2016-02-15 13:29:23 UTC
I think they need to be applied in order.

Second commit says its reworking previous fix. Presumably they
insufficiently fixed the issues with the first commit. Only parts
are reverted in the second commit; but also adding additional
checks.
Comment 6 Bernhard Wiedemann 2016-03-07 11:00:23 UTC
This is an autogenerated message for OBS integration:
This bug (965807) was mentioned in
https://build.opensuse.org/request/show/367416 13.2 / graphite2
Comment 7 Petr Gajdos 2016-03-07 13:19:20 UTC
Packages submitted.
Comment 8 Swamp Workflow Management 2016-03-15 20:12:36 UTC
SUSE-SU-2016:0779-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 965803,965807,965810
CVE References: CVE-2016-1521,CVE-2016-1523,CVE-2016-1526
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    graphite2-1.3.1-6.1
SUSE Linux Enterprise Software Development Kit 12 (src):    graphite2-1.3.1-6.1
SUSE Linux Enterprise Server 12-SP1 (src):    graphite2-1.3.1-6.1
SUSE Linux Enterprise Server 12 (src):    graphite2-1.3.1-6.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    graphite2-1.3.1-6.1
SUSE Linux Enterprise Desktop 12 (src):    graphite2-1.3.1-6.1
Comment 9 Swamp Workflow Management 2016-03-16 18:13:36 UTC
openSUSE-SU-2016:0791-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 965803,965806,965807,965810
CVE References: CVE-2016-1521,CVE-2016-1522,CVE-2016-1523,CVE-2016-1526
Sources used:
openSUSE 13.2 (src):    graphite2-1.2.4-2.4.1
Comment 10 Marcus Meissner 2016-03-18 14:20:07 UTC
released
Comment 11 Swamp Workflow Management 2016-03-24 14:08:55 UTC
openSUSE-SU-2016:0875-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 965803,965807,965810
CVE References: CVE-2016-1521,CVE-2016-1523,CVE-2016-1526
Sources used:
openSUSE Leap 42.1 (src):    graphite2-1.3.1-3.1