The directrun function in directmachine.cpp in Libgraphite in Graphite 2 1.2.4, as used in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.6.1, does not validate a certain skip operation, which allows remote attackers to execute arbitrary code, obtain sensitive information, or cause a denial of service (out-of-bounds read and application crash) via a crafted Graphite smart font.

According to the versions of the graphite2 package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Various vulnerabilities have been discovered in     Graphite2. An attacker able to trick an unsuspecting     user into opening specially crafted font files in an     application using Graphite2 could exploit these flaws     to cause the application to crash or, potentially,     execute arbitrary code with the privileges of the     application. (CVE-2016-1521, CVE-2016-1522,     CVE-2016-1523, CVE-2016-1526)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201701-63 (Graphite: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Graphite. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could possibly execute arbitrary code with the       privileges of the process, cause a Denial of Service condition, or obtain       sensitive information.
  Workaround :

    There is no known workaround at this time.

The remote host is affected by the vulnerability described in GLSA-201701-35 (Mozilla SeaMonkey: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Mozilla SeaMonkey.
      Please review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could possibly execute arbitrary code with the       privileges of the process, cause a Denial of Service condition, or obtain       sensitive information.
  Workaround :

    There is no known workaround at this time.

Unspecified security fixes ---- Security fix for CVE-2016-1521, CVE-2016-1522, CVE-2016-1523 and CVE-2016-1526

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities were discovered in Graphite2. An attacker able to trick an unsuspecting user into opening specially crafted font files in an application using Graphite2 could exploit these flaws to cause the application to crash or, potentially, execute arbitrary code with the privileges of the application.

The following packages have been upgraded to a newer upstream version:
graphite2 (1.3.6).

Security Fix(es) :

  - Various vulnerabilities have been discovered in     Graphite2. An attacker able to trick an unsuspecting     user into opening specially crafted font files in an     application using Graphite2 could exploit these flaws to     cause the application to crash or, potentially, execute     arbitrary code with the privileges of the application.
    (CVE-2016-1521, CVE-2016-1522, CVE-2016-1523,     CVE-2016-1526)

An update for graphite2 is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Graphite2 is a project within SIL's Non-Roman Script Initiative and Language Software Development groups to provide rendering capabilities for complex non-Roman writing systems. Graphite can be used to create 'smart fonts' capable of displaying writing systems with various complex behaviors. With respect to the Text Encoding Model, Graphite handles the 'Rendering' aspect of writing system implementation.

The following packages have been upgraded to a newer upstream version:
graphite2 (1.3.6).

Security Fix(es) :

* Various vulnerabilities have been discovered in Graphite2. An attacker able to trick an unsuspecting user into opening specially crafted font files in an application using Graphite2 could exploit these flaws to cause the application to crash or, potentially, execute arbitrary code with the privileges of the application. (CVE-2016-1521, CVE-2016-1522, CVE-2016-1523, CVE-2016-1526)

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2016-0594 advisory.

    - Related: rhbz#1309052 CVE-2016-1521 CVE-2016-1522 CVE-2016-1523 CVE-2016-1526
    - Resolves: rhbz#1309052 CVE-2016-1521 CVE-2016-1522 CVE-2016-1523 CVE-2016-1526

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This update for graphite2 fixes the following issues :

  - CVE-2016-1521: The directrun function in     directmachine.cpp in Libgraphite did not validate a     certain skip operation, which allowed remote attackers     to execute arbitrary code, obtain sensitive information,     or cause a denial of service (out-of-bounds read and     application crash) via a crafted Graphite smart font.

  - CVE-2016-1523: The SillMap::readFace function in     FeatureMap.cpp in Libgraphite mishandled a return value,     which allowed remote attackers to cause a denial of     service (missing initialization, NULL pointer     dereference, and application crash) via a crafted     Graphite smart font.

  - CVE-2016-1526: The TtfUtil:LocaLookup function in     TtfUtil.cpp in Libgraphite incorrectly validated a size     value, which allowed remote attackers to obtain     sensitive information or cause a denial of service     (out-of-bounds read and application crash) via a crafted     Graphite smart font.

This update was imported from the SUSE:SLE-12:Update project.

This update for graphite2 fixes the following issues :

  - CVE-2016-1521: The directrun function in     directmachine.cpp in Libgraphite did not validate a     certain skip operation, which allowed remote attackers     to execute arbitrary code, obtain sensitive information,     or cause a denial of service (out-of-bounds read and     application crash) via a crafted Graphite smart font.

  - CVE-2016-1523: The SillMap::readFace function in     FeatureMap.cpp in Libgraphite mishandled a return value,     which allowed remote attackers to cause a denial of     service (missing initialization, NULL pointer     dereference, and application crash) via a crafted     Graphite smart font.

  - CVE-2016-1526: The TtfUtil:LocaLookup function in     TtfUtil.cpp in Libgraphite incorrectly validated a size     value, which allowed remote attackers to obtain     sensitive information or cause a denial of service     (out-of-bounds read and application crash) via a crafted     Graphite smart font.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for graphite2 fixes the following issues :

  - CVE-2016-1521: The directrun function in     directmachine.cpp in Libgraphite did not validate a     certain skip operation, which allowed remote attackers     to execute arbitrary code, obtain sensitive information,     or cause a denial of service (out-of-bounds read and     application crash) via a crafted Graphite smart font.

  - CVE-2016-1522: Code.cpp in Libgraphite did not consider     recursive load calls during a size check, which allowed     remote attackers to cause a denial of service     (heap-based buffer overflow) or possibly execute     arbitrary code via a crafted Graphite smart font.

  - CVE-2016-1523: The SillMap::readFace function in     FeatureMap.cpp in Libgraphite mishandled a return value,     which allowed remote attackers to cause a denial of     service (missing initialization, NULL pointer     dereference, and application crash) via a crafted     Graphite smart font.

  - CVE-2016-1526: The TtfUtil:LocaLookup function in     TtfUtil.cpp in Libgraphite incorrectly validated a size     value, which allowed remote attackers to obtain     sensitive information or cause a denial of service     (out-of-bounds read and application crash) via a crafted     Graphite smart font.

Security fix for CVE-2016-1521, CVE-2016-1522, CVE-2016-1523 and CVE-2016-1526

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities have been found in the Graphite font rendering engine which might result in denial of service or the execution of arbitrary code if a malformed font file is processed.

An updated thunderbird package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2016-1930, CVE-2016-1935)

Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Bob Clary, Christian Holler, Nils Ohlmeier, Gary Kwong, Jesse Ruderman, Carsten Book, Randell Jesup, and Aki Helin as the original reporters of these issues.

For technical details regarding these flaws, refer to the Mozilla security advisories for Thunderbird 38.6.0. You can find a link to the Mozilla advisories in the References section of this erratum.

All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 38.6.0, which corrects these issues.
After installing the update, Thunderbird must be restarted for the changes to take effect.

The remote Ubuntu 14.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-2902-1 advisory.

    Yves Younan discovered that graphite2 incorrectly handled certain malformed fonts. If a user or automated     system were tricked into opening a specially- crafted font file, a remote attacker could use this issue to     cause graphite2 to crash, resulting in a denial of service, or possibly execute arbitrary code.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Multiple security flaws were found in the graphite2 font library shipped with Firefox. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2016-1521, CVE-2016-1522, CVE-2016-1523)

After installing the update, Firefox must be restarted for the changes to take effect.

Updated firefox packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.

Multiple security flaws were found in the graphite2 font library shipped with Firefox. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2016-1521, CVE-2016-1522, CVE-2016-1523)

All Firefox users should upgrade to these updated packages, which contain Firefox version 38.6.1 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.

From Red Hat Security Advisory 2016:0197 :

Updated firefox packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.

Multiple security flaws were found in the graphite2 font library shipped with Firefox. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2016-1521, CVE-2016-1522, CVE-2016-1523)

All Firefox users should upgrade to these updated packages, which contain Firefox version 38.6.1 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.

Talos reports :

- An exploitable denial of service vulnerability exists in the font handling of Libgraphite. A specially crafted font can cause an out-of-bounds read potentially resulting in an information leak or denial of service.

- A specially crafted font can cause a buffer overflow resulting in potential code execution.

- An exploitable NULL pointer dereference exists in the bidirectional font handling functionality of Libgraphite. A specially crafted font can cause a NULL pointer dereference resulting in a crash.

ID	Name	Product	Family	Severity
99776	EulerOS 2.0 SP1 : graphite2 (EulerOS-SA-2016-1013)	Nessus	Huawei Local Security Checks	high
96749	GLSA-201701-63 : Graphite: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
96515	GLSA-201701-35 : Mozilla SeaMonkey: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
91060	Fedora 22 : graphite2-1.3.6-1.fc22 (2016-338a7e9925)	Nessus	Fedora Local Security Checks	high
90865	Amazon Linux AMI : graphite2 (ALAS-2016-696)	Nessus	Amazon Linux Local Security Checks	high
90393	Scientific Linux Security Update : graphite2 on SL7.x x86_64 (20160406)	Nessus	Scientific Linux Local Security Checks	high
90387	RHEL 7 : graphite2 (RHSA-2016:0594)	Nessus	Red Hat Local Security Checks	high
90384	Oracle Linux 7 : graphite2 (ELSA-2016-0594)	Nessus	Oracle Linux Local Security Checks	high
90368	CentOS 7 : graphite2 (CESA-2016:0594)	Nessus	CentOS Local Security Checks	high
90167	openSUSE Security Update : graphite2 (openSUSE-2016-389)	Nessus	SuSE Local Security Checks	high
89991	SUSE SLED12 / SLES12 Security Update : graphite2 (SUSE-SU-2016:0779-1)	Nessus	SuSE Local Security Checks	high
89975	openSUSE Security Update : graphite2 (openSUSE-2016-349)	Nessus	SuSE Local Security Checks	high
89525	Fedora 23 : graphite2-1.3.5-1.fc23 (2016-4154a4d0ba)	Nessus	Fedora Local Security Checks	high
88865	Debian DSA-3479-1 : graphite2 - security update	Nessus	Debian Local Security Checks	high
88859	RHEL 5 / 6 / 7 : thunderbird (RHSA-2016:0258)	Nessus	Red Hat Local Security Checks	critical
88844	CentOS 5 / 6 / 7 : thunderbird (CESA-2016:0258)	Nessus	CentOS Local Security Checks	critical
88837	Ubuntu 14.04 LTS : graphite2 vulnerabilities (USN-2902-1)	Nessus	Ubuntu Local Security Checks	high
88796	Scientific Linux Security Update : firefox on SL5.x, SL6.x, SL7.x i386/x86_64 (20160216)	Nessus	Scientific Linux Local Security Checks	high
88789	RHEL 5 / 6 / 7 : firefox (RHSA-2016:0197)	Nessus	Red Hat Local Security Checks	high
88781	Oracle Linux 5 / 6 / 7 : firefox (ELSA-2016-0197)	Nessus	Oracle Linux Local Security Checks	high
88762	CentOS 5 / 6 / 7 : firefox (CESA-2016:0197)	Nessus	CentOS Local Security Checks	high
88672	FreeBSD : graphite2 -- code execution vulnerability (8f10fa04-cf6a-11e5-96d6-14dae9d210b8)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2016-1521

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

critical

critical

high

high

high

high

high

high