MGASA-2016-0077

Description

Updated graphite2/firefox packages fix security vulnerability Multiple vulnerabilities in the graphite2 font library can result in information disclosure, denial-of-service (application crashes), or code execution via out-of-bounds reads, a NULL pointer dereference, and a heap-based buffer overflow (CVE-2016-1521, CVE-2016-1522, CVE-2016-1523, CVE-2016-1526). Firefox includes a bundled copy of the graphite2 library, which has been updated in Firefox ESR 38.6.1.

Affected Systems

• mageia•firefox

  < 38.6.1-1.mga5

• mageia•firefox-l10n

  < 38.6.1-1.mga5

• mageia•graphite2

  < 1.3.5-1.mga5

References (11)

• https://advisories.mageia.org/MGASA-2016-0077.html
• https://bugs.mageia.org/show_bug.cgi?id=17780
• http://www.talosintel.com/reports/TALOS-2016-0057/
• http://www.talosintel.com/reports/TALOS-2016-0058/
• http://www.talosintel.com/reports/TALOS-2016-0059/
• http://www.talosintel.com/reports/TALOS-2016-0060/
• http://www.talosintel.com/reports/TALOS-2016-0061/
• http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html
• https://www.mozilla.org/en-US/security/advisories/mfsa2016-14/
• https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
• https://www.debian.org/security/2016/dsa-3477