Vulnerability In Font Processing Library Affects Linux, OpenOffice, Firefox (softpedia.com) 95
An anonymous reader writes: If an application can embed fonts with special characters, then it's probably using the Graphite font processing library. This library has several security issues which an attacker can leverage to take control of your OS via remote code execution scenarios. The simple attack would be to deliver a malicious font via a Web page's CSS. The malformed font loads in Firefox, triggers the RCE exploit, and voila, your PC has a hole inside through which malware can creep in.
Re: (Score:3, Funny)
your eyes are not open source, they are processing fonts, and they are vulnerable
Re: (Score:1)
But what if my DNA has been sequenced and published? Are my eyes open source then?
Re: (Score:2)
Re: (Score:2, Informative)
The reported vulnerability is also present in Windows⦠As soon as you use the windows version of firefox.
Re: (Score:2)
Re: (Score:2, Troll)
A: the font isn't open source
B: one or more pair of eyes DID find this problem
C: there are no eyes looking at your Windows platform
I'll take my chances with open source, thank you. You enjoy your telemetry nonsense.
Re: (Score:3)
Well there are a few eyes looking at the Windows platform, I mean sure they all work for Microsoft, but they are there :)
Re: (Score:2)
No. In order to reduce risk to their intellectual property, Microsoft exclusively employs blind people in their Windows division.
Re: (Score:2)
Except if you read the Windows security bulletins that come out every month you'd see that this happens on Microsoft platforms too.
Oh, heaven forbid that people actually pay attention to what they are doing on a computer.
Current version of Firefox is not vulnerable (Score:5, Informative)
Known Vulnerable Versions:
Libgraphite 2-1.2.4
Firefox 31-42
source: http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html
Re: (Score:3, Informative)
Re:Current version of Firefox is not vulnerable (Score:5, Informative)
in the meantime, you can set gfx.font_rendering.graphite.enabled to False
Re: (Score:2)
I can't because the most recent Firefox update rendered it completely unusable.
Re: (Score:2, Insightful)
What are you talking about? The GP is a paranoid lunatic and a Pale Moon fanboy. When Google owned the search results that's ok, but when Yahoo (Microsoft) owns it then every bug is Microsoft's fault?
He's claiming that a save dialog not defaulting to the last used file name is a Microsoft conspiracy to discredit the software and get people to switch to IE and Outlook. WTF! Much software has annoying open/save dialogs, it's not a new issue. In fact, I'd suggest the old behavior was a bug and the new beh
Re: (Score:2)
I'm inclined to agree with you - he's making something out of nothing. However, I do like having a default file name (especially if it's smart enough to see if that file already exists and create a new name (say output1.pdf) as not to overwrite the first file). As far as keystrokes go on that, you are adding an extra step in there - it is not necessary to hit delete, you can start typing and it will overwrite highlighted text. Or you can double click the word and start typing (if you are mouse inclined i
How do all the stories affect our thinking? (Score:2)
Another example: I don't know what happened on 9/11/2001 at the World Trade Center, but it is interesting that Marvin P. Bush, the president's younger brother, was a principal in a company called Securacom that provided security for the World Trade Center. [whatreallyhappened.com]
The domination we are seeing is destructive towar
Re: (Score:2)
Don't avoid. Stay logical. (Score:2)
That's avoidance, not logic. There are many, many, many articles about abuse by Microsoft. Whether or not you like what I said, or the articles I chose, there is an issue.
As I said above: The domination we are seeing is destructive toward the lives of those who do it, in the kind of way that alcoholism is not a solution to problems, but degrades the lives of alcoholics.
Don't be dishonest toward yourselves. Deal with conflicts, don't avoid them.
Re:Current version of Firefox is not vulnerable (Score:4, Informative)
Firefox fixed this issue in Firefox 43, not in 44.0.2. In particular, it was "fixed" in Firefox by updating to a version of libgraphite that did not have the problem, and this happend before the issue was even reported to libgraphite.
Hence no CVE for Firefox 43 or 44, because they were never vunerable, and no CVE for Firefox 42, because it was long-superseded by the time the vulnerability was even reported.
The CVE, if you note, is for Firefox 38 ESR, which _was_ vulnerable until the 38.6.1 release.
Another buffer overflow (Score:2)
If only systems and programming languages had been developed that eradicated an entire class of software bugs.
Can I haz SELinux + grsecurity in all major distributions by default plz.
Re:Another buffer overflow (Score:4, Informative)
Can I haz SELinux + grsecurity in all major distributions by default plz.
Of course that wouldn't protect Windows, which is also affected by this and is conveniently left out of the summary. Actually, it doesn't impact linux or windows. It impacts applications that run on them that enable smart fonts using graphite. If you haven't turned on this capability or if you turn it off, you aren't impacted at all. Good news is that it has already been fixed in the latest release of graphite in January.
Re: (Score:2)
Re: (Score:3, Interesting)
I get that you clearly have an axe to grind about Rust for some reason, but you have not explained why it isn't viable. It's impossible to take you seriously when you make empty claims about Servo "going nowhere" when components written in Rust for Servo are being added to Firefox as we speak, or that Rust's syntax is "a step backward" from the likes of C++ or PHP, or argue that you might as well use C++ instead, despite the fact that C++ offers too many convenient footguns to make such a thing viable witho
Re: (Score:2, Funny)
Mozilla are
Mozilla is
or
Mozilli are
Re: (Score:2)
Mozilla is
or
Mozilli are
It depends on whether you're treating "Mozilla" as a countable or uncountable noun, e.g. "bottles of milk" versus "milk". That is, as a collective versus an individual reference.
Re: (Score:2)
Can I haz SELinux + grsecurity in all major distributions by default plz.
Red Hat and Fedora based distributions ship with SELinux set to enforcing by default, so most corporate/government installs should be convered.
According to my package manager for Mint (Score:1)
libgraphite is used by libreoffice, grcompiler, texlive-binaries, fonts-sil-padauk.
I have no doubt a more forward looking distro like Fedora or Arch will have more applications that include libgraphite/silgraphite as a dependency. Sadly I can't verify dependants from here: https://apps.fedoraproject.org/packages/graphite2/
gfx.font_rendering.graphite.enabled (Score:1)
Just desactivate the graphite thing in firefox (if you are using one of the vulnerable verions, 11-42) and you are done.
Re: (Score:3)
Well, maybe.
Firefox is uniquely* exposed to this exploit in that an attacker can embed the bad font in a we page. With other applications, one needs to download and install the font as a separate step.
*At least for OpenOffice, I have to download/install fonts. There may exist apps that do this automatically from remote sites. But how an attacker could specify a particular font server from which the app should download their corrupted font is another hoop they would have to jump through.
Re: (Score:1)
In many word processors, fonts can be embedded into the document, to make sure they render "correctly" . I think OO supports this.
Re:gfx.font_rendering.graphite.enabled (Score:5, Informative)
Or disable web fonts. No attack vector that way.
gfx.downloadable_fonts.enabled = false
Nice font (Score:1)
I like the font they used in the article. Very creative, especially how it included photos of my kids and parts of the social security number
Re: When you let anyone run code on your machine (Score:2)
This is why the Web sucks, we mix code and data
If this were a JavaScript exploit, you might have a point, but font libraries are just data. While the attack does involve mixing code and data, it's not a fundamental feature of the web that's being exploited. Instead it's the Von Neumann architecture; it's going to apply to any sufficiently complex program that accepts outside data. A better criticism would be to say "this is why c++ sucks... it's hard to write memory-correct code in it".
Re: (Score:1)
Except the CSS you're downloading tells your browser to go and obtain the vulnerable font. Without asking or confirming. Data (the webpage) is executing code on your machine.
Re: (Score:3)
Unfortunately, fonts aren't just data [wikipedia.org]. This blog post [talosintel.com] details the exploit, basically a malicious font can compromise the TTF virtual machine.
Hyperbole? Much? (Score:5, Insightful)
FTA:
"The worst is an out-of-bounds read bug (CVE-2016-1521) that allows attackers to crash the system"
Err no. It'll crash the browser (or whichever userspace program is using the library). Thats a bit different to crashing the kernel.
Bring back the X Font Server and get off my lawn!
Don't let web pages change font (Score:2)
I haven't let web pages use different fonts for years. I use a font at a size on my browser that I find easy to read and I found a long time ago that people making pages were trying to change fonts and sizes to things that weren't as easy for me to read. This comes from people who think that they need to have absolute control of how everything is displayed on the page. That was never the intention of how the web was to work.
Is 2016 and a malformed font still... (Score:2)
Can lead of your system being pw0ned!
Damned Micro$oft!!!!!!!!!!!!.... ...OH ... WAIT....
chrome stable (48.0) links to libgraphite2.so (Score:2)
From ldd output of
libgraphite2.so.3 =>