Greetings,
I was made aware of CVE-2016-1521 this past weekend, and can find no reference to this CVE in Red Hat Bugzilla, nor has there been a Red Hat Security Bulletin regarding this.
I consider this CVE to be critical as it requires zero action on the part of the user. It can be spread through malvertising, or a minor hack to a website that calls a 3rd party CSS file.
The Graphite developers released an update in January, but have not specifically addressed this CVE. Can you provide a statement stating whether it has been fixed or not?
References: http://www.talosintel.com/reports/TALOS-2016-0058/
http://news.softpedia.com/news/vulnerability-in-font-processing-library-affe...
Regards, Dan Mossor
On Mon, Feb 08, 2016 at 11:30:42AM -0600, Dan Mossor wrote:
I was made aware of CVE-2016-1521 this past weekend, and can find no reference to this CVE in Red Hat Bugzilla, nor has there been a Red Hat Security Bulletin regarding this.
At Mitre, that's still a reserved CVE. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1521)
Hello Dan,
Thank you for reporting this issue.
On Tuesday, 9 February 2016 2:27 PM, Matthew Miller mattdm@fedoraproject.org wrote:
On Mon, Feb 08, 2016 at 11:30:42AM -0600, Dan Mossor wrote: I was made aware of CVE-2016-1521 this past weekend, and can find no reference to this CVE in Red Hat Bugzilla, nor has there been a Red Hat Security Bulletin regarding this.
At Mitre, that's still a reserved CVE. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1521)
A CVE bug and a Fedora tracker has been opened. -> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1521
Was this issue and CVE assignment reported to anywhere(other than www.talosintel.com)? How was the CVE assigned? I couldn't find any reference, probably why above bugzilla was not opened earlier.
Thank you. --- -P J P http://feedmug.com
On Mon Feb 08 12:30:50 2016, dmossor@fedoraproject.org wrote:
Greetings,
I was made aware of CVE-2016-1521 this past weekend, and can find no reference to this CVE in Red Hat Bugzilla, nor has there been a Red Hat Security Bulletin regarding this.
I consider this CVE to be critical as it requires zero action on the part of the user. It can be spread through malvertising, or a minor hack to a website that calls a 3rd party CSS file.
The Graphite developers released an update in January, but have not specifically addressed this CVE. Can you provide a statement stating whether it has been fixed or not?
References: http://www.talosintel.com/reports/TALOS-2016-0058/
http://news.softpedia.com/news/vulnerability-in-font-processing- library-affects-linux-openoffice-firefox-500027.shtml
Regards, Dan Mossor
Hello Dan,
Thank you for bringing this to our attention. We'll analyze it as soon as possible.
Best Regards,
-- Adam Mariš / Red Hat Product Security
On 02/08/2016 12:30 PM, Dan Mossor wrote:
Greetings,
I was made aware of CVE-2016-1521 this past weekend, and can find no reference to this CVE in Red Hat Bugzilla, nor has there been a Red Hat Security Bulletin regarding this.
I consider this CVE to be critical as it requires zero action on the part of the user. It can be spread through malvertising, or a minor hack to a website that calls a 3rd party CSS file.
The Graphite developers released an update in January, but have not specifically addressed this CVE. Can you provide a statement stating whether it has been fixed or not?
References: http://www.talosintel.com/reports/TALOS-2016-0058/
http://news.softpedia.com/news/vulnerability-in-font-processing-library-affe...
Regards, Dan Mossor
Here take a look here, just came into the Fedora BugZilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1305814 https://bugzilla.redhat.com/show_bug.cgi?id=1305811 https://bugzilla.redhat.com/show_bug.cgi?id=1305806
And RedHat alert: https://access.redhat.com/security/cve/CVE-2016-1521
Unfortunately there isn't much info. It looks like it may not have been communicated to RedHat before this.
It's also in the broader news now:
http://www.theregister.co.uk/2016/02/09/libgraphite_font_library_buggy_and_v...
Sounds like it's not just limited to Linux either.
Hopefully we'll get something official soon.
-David
security-team@lists.fedoraproject.org
-
Dan Mossor -
David Cafaro -
Matthew Miller -
P J P -
Red Hat Product Security