Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Security Linux

Vulnerability In Font Processing Library Affects Linux, OpenOffice, Firefox ( 95

An anonymous reader writes: If an application can embed fonts with special characters, then it's probably using the Graphite font processing library. This library has several security issues which an attacker can leverage to take control of your OS via remote code execution scenarios. The simple attack would be to deliver a malicious font via a Web page's CSS. The malformed font loads in Firefox, triggers the RCE exploit, and voila, your PC has a hole inside through which malware can creep in.
This discussion has been archived. No new comments can be posted.

Vulnerability In Font Processing Library Affects Linux, OpenOffice, Firefox

Comments Filter:
  • by Anonymous Coward on Monday February 15, 2016 @10:16AM (#51510737)

    Known Vulnerable Versions:
    Libgraphite 2-1.2.4
    Firefox 31-42


    • Re: (Score:3, Informative)

      by Anonymous Coward
      Yes, Firefox fixed this issue in 44.0.2, released last Thursday. Weirdly, when I checked that page Thursday it did not mention a thing about the graphite vulnerability. It was added today: []
      • by buchner.johannes ( 1139593 ) on Monday February 15, 2016 @10:42AM (#51510889) Homepage Journal

        in the meantime, you can set gfx.font_rendering.graphite.enabled to False

      • by BZ ( 40346 ) on Monday February 15, 2016 @02:44PM (#51512935)

        Firefox fixed this issue in Firefox 43, not in 44.0.2. In particular, it was "fixed" in Firefox by updating to a version of libgraphite that did not have the problem, and this happend before the issue was even reported to libgraphite.

        Hence no CVE for Firefox 43 or 44, because they were never vunerable, and no CVE for Firefox 42, because it was long-superseded by the time the vulnerability was even reported.

        The CVE, if you note, is for Firefox 38 ESR, which _was_ vulnerable until the 38.6.1 release.

  • If only systems and programming languages had been developed that eradicated an entire class of software bugs.

    Can I haz SELinux + grsecurity in all major distributions by default plz.

    • by Anonymous Coward on Monday February 15, 2016 @10:25AM (#51510797)

      Can I haz SELinux + grsecurity in all major distributions by default plz.

      Of course that wouldn't protect Windows, which is also affected by this and is conveniently left out of the summary. Actually, it doesn't impact linux or windows. It impacts applications that run on them that enable smart fonts using graphite. If you haven't turned on this capability or if you turn it off, you aren't impacted at all. Good news is that it has already been fixed in the latest release of graphite in January.

    • by armanox ( 826486 )

      Can I haz SELinux + grsecurity in all major distributions by default plz.

      Red Hat and Fedora based distributions ship with SELinux set to enforcing by default, so most corporate/government installs should be convered.

  • by Anonymous Coward

    libgraphite is used by libreoffice, grcompiler, texlive-binaries, fonts-sil-padauk.

    I have no doubt a more forward looking distro like Fedora or Arch will have more applications that include libgraphite/silgraphite as a dependency. Sadly I can't verify dependants from here:

  • by Anonymous Coward

    Just desactivate the graphite thing in firefox (if you are using one of the vulnerable verions, 11-42) and you are done.

    • by gustygolf ( 3979423 ) on Monday February 15, 2016 @11:08AM (#51511015) Homepage

      Or disable web fonts. No attack vector that way.

      gfx.downloadable_fonts.enabled = false

  • by Anonymous Coward

    I like the font they used in the article. Very creative, especially how it included photos of my kids and parts of the social security number

  • Hyperbole? Much? (Score:5, Insightful)

    by Viol8 ( 599362 ) on Monday February 15, 2016 @11:07AM (#51511009) Homepage


    "The worst is an out-of-bounds read bug (CVE-2016-1521) that allows attackers to crash the system"

    Err no. It'll crash the browser (or whichever userspace program is using the library). Thats a bit different to crashing the kernel.

    Bring back the X Font Server and get off my lawn!

  • I haven't let web pages use different fonts for years. I use a font at a size on my browser that I find easy to read and I found a long time ago that people making pages were trying to change fonts and sizes to things that weren't as easy for me to read. This comes from people who think that they need to have absolute control of how everything is displayed on the page. That was never the intention of how the web was to work.

  • Can lead of your system being pw0ned!

    Damned Micro$oft!!!!!!!!!!!!.... ...OH ... WAIT....

  • I can find no workarounds for Chrome - posted in the chrome forum. Just wondered if anyone else was concerned enough to figure out how to disable it in Chrome until the library is updated.
    From ldd output of /opt/google/chrome/chrome: => /usr/lib64/ (0x00007fb69a34e000)

COMPASS [for the CDC-6000 series] is the sort of assembler one expects from a corporation whose president codes in octal. -- J.N. Gray