Re: [Silgraphite-devel] Graphite2 release 1.3.5

[Martin H. <mar...@si...>]

Dear All,

> >    The Debian security FAQ says:
> > 
> >      If you learn about a security problem, either in one of your own
> >      packages or in someone else's please always contact the security team.
> >      If the Debian security team confirms the vulnerability and other vendors
> >      are likely to be vulnerable as well, they usually contact other vendors
> >      as well. If the vulnerability is not yet public they will try to
> >      coordinate security advisories with the other vendors, so all major
> >      distributions are in sync.
> 
> Which is directed to the package maintainers.
> 
> If it's already public they either prepare packages themselves by using above mentioned
> patches or I upload them to the security queue myself (which I did for the LibreOffice updates
> in the past)
> I don't think that upstreams should contact every individual security team. :)
> 
> But right now we are talking in vain here since the entry in the ChangeLog is to completely
> unclear. Whether it's a minimal problem, some fuzz problem (which might or might not be
> exploitable, git shows fuzz patches some months old...) or something else.
> 
> That should be cleared up by the graphite2 people first.

OK. Here goes.

The bugs will be disclosed in due course from here: http://www.talosintel.com/vulnerability-reports/ as:

TALOS-CAN-0058:
A suitably crafted font can result in arbitrary code execution.

TALOS-CAN-0059:
A suitably crafted font can result in a buffer overflow.

Debian bug:
On ARM, use of collision avoidance can result in a misaligned memory access violation.

I have no idea *when* the TALOS bugs will be made public, but if anyone really wants the details, I am happy to send them the bug reports offline.

Firefox has already been informed and is in process.

Yours,
Martin