CVE-2016-1523

graphite2: Heap-based buffer overflow in context item handling functionality

Severity Score

6.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The SillMap::readFace function in FeatureMap.cpp in Libgraphite in Graphite 2 1.2.4, as used in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.6.1, mishandles a return value, which allows remote attackers to cause a denial of service (missing initialization, NULL pointer dereference, and application crash) via a crafted Graphite smart font.

La función SillMap::readFace en FeatureMap.cpp en Libgraphite en Graphite 2 1.2.4, como se utiliza en Mozilla Firefox en versiones anteriores a 43.0 y Firefox ESR 38.x en versiones anteriores a 38.6.1, no maneja correctamente el valor de retorno, lo que permite a atacantes remotos causar una denegación de servicio (falta inicialización, referencia a puntero NULL y caída de aplicación) a través de una fuente inteligente Graphite.

A vulnerability has been discovered in Graphite2. An attacker able to trick an unsuspecting user into opening specially crafted font files in an application using Graphite2 could exploit these flaws to cause the application to crash or, potentially, execute arbitrary code with the privileges of the application.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2016-01-07 CVE Reserved
2016-02-13 CVE Published
2023-09-30 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-122: Heap-based Buffer Overflow

CAPEC

References (27)

URL	Tag	Source
http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html	X_refsource_misc
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html	X_refsource_confirm
http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html	X_refsource_confirm
http://www.securityfocus.com/bid/82991	Vdb Entry
http://www.securitytracker.com/id/1035017	Vdb Entry
https://bugzilla.mozilla.org/show_bug.cgi?id=1246093	Issue Tracking

URL	Date	SRC

URL	Date	SRC
http://www.mozilla.org/security/announce/2016/mfsa2016-14.html	2017-07-01

URL	Date	SRC
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177520.html	2017-07-01
http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184623.html	2017-07-01
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00053.html	2017-07-01
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00055.html	2017-07-01
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00052.html	2017-07-01
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00058.html	2017-07-01
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00088.html	2017-07-01
http://rhn.redhat.com/errata/RHSA-2016-0197.html	2017-07-01
http://rhn.redhat.com/errata/RHSA-2016-0258.html	2017-07-01
http://rhn.redhat.com/errata/RHSA-2016-0594.html	2017-07-01
http://www.debian.org/security/2016/dsa-3477	2017-07-01
http://www.debian.org/security/2016/dsa-3479	2017-07-01
http://www.debian.org/security/2016/dsa-3491	2017-07-01
http://www.ubuntu.com/usn/USN-2902-1	2017-07-01
http://www.ubuntu.com/usn/USN-2904-1	2017-07-01
https://security.gentoo.org/glsa/201605-06	2017-07-01
https://security.gentoo.org/glsa/201701-35	2017-07-01
https://security.gentoo.org/glsa/201701-63	2017-07-01
https://access.redhat.com/security/cve/CVE-2016-1523	2016-04-05
https://bugzilla.redhat.com/show_bug.cgi?id=1305813	2016-04-05

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				22 Search vendor "Fedoraproject" for product "Fedora" and version "22"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				23 Search vendor "Fedoraproject" for product "Fedora" and version "23"		-		Affected
Mozilla Search vendor "Mozilla"		Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"				38.0 Search vendor "Mozilla" for product "Firefox Esr" and version "38.0"		-		Affected
Mozilla Search vendor "Mozilla"		Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"				38.0.1 Search vendor "Mozilla" for product "Firefox Esr" and version "38.0.1"		-		Affected
Mozilla Search vendor "Mozilla"		Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"				38.0.5 Search vendor "Mozilla" for product "Firefox Esr" and version "38.0.5"		-		Affected
Mozilla Search vendor "Mozilla"		Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"				38.1.0 Search vendor "Mozilla" for product "Firefox Esr" and version "38.1.0"		-		Affected
Mozilla Search vendor "Mozilla"		Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"				38.1.1 Search vendor "Mozilla" for product "Firefox Esr" and version "38.1.1"		-		Affected
Mozilla Search vendor "Mozilla"		Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"				38.2.0 Search vendor "Mozilla" for product "Firefox Esr" and version "38.2.0"		-		Affected
Mozilla Search vendor "Mozilla"		Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"				38.2.1 Search vendor "Mozilla" for product "Firefox Esr" and version "38.2.1"		-		Affected
Mozilla Search vendor "Mozilla"		Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"				38.3.0 Search vendor "Mozilla" for product "Firefox Esr" and version "38.3.0"		-		Affected
Mozilla Search vendor "Mozilla"		Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"				38.4.0 Search vendor "Mozilla" for product "Firefox Esr" and version "38.4.0"		-		Affected
Mozilla Search vendor "Mozilla"		Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"				38.5.0 Search vendor "Mozilla" for product "Firefox Esr" and version "38.5.0"		-		Affected
Mozilla Search vendor "Mozilla"		Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"				38.5.1 Search vendor "Mozilla" for product "Firefox Esr" and version "38.5.1"		-		Affected
Mozilla Search vendor "Mozilla"		Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"				38.5.2 Search vendor "Mozilla" for product "Firefox Esr" and version "38.5.2"		-		Affected
Mozilla Search vendor "Mozilla"		Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"				38.6.0 Search vendor "Mozilla" for product "Firefox Esr" and version "38.6.0"		-		Affected
Mozilla Search vendor "Mozilla"		Thunderbird Search vendor "Mozilla" for product "Thunderbird"				<= 38.5.1 Search vendor "Mozilla" for product "Thunderbird" and version " <= 38.5.1"		-		Affected
Sil Search vendor "Sil"		Graphite2 Search vendor "Sil" for product "Graphite2"				1.2.4 Search vendor "Sil" for product "Graphite2" and version "1.2.4"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected