[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#892590: graphite2: CVE-2018-7999: null pointer dereference in Segment()

Hi,

On Sun, Mar 11, 2018 at 06:56:30PM +0100, Moritz Mühlenhoff wrote:
> On Sun, Mar 11, 2018 at 02:02:22PM +0100, Rene Engelhard wrote:
> > Hi,
> > 
> > On Sun, Mar 11, 2018 at 08:43:32AM +0100, Salvatore Bonaccorso wrote:
> > > CVE-2018-7999[0]:
> > > | In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference
> > > | vulnerability was found in Segment.cpp during a dumbRendering
> > > | operation, which may allow attackers to cause a denial of service or
> > > | possibly have unspecified other impact via a crafted .ttf file.
> > > 
> > > If you fix the vulnerability please also make sure to include the
> > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > > 
> > > For further information see:
> > > 
> > > [0] https://security-tracker.debian.org/tracker/CVE-2018-7999
> > >     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7999
> > > [1] https://github.com/silnrsi/graphite/issues/22
> > 
> > upstream fix backported. Uploaded to sid.
> > 
> > Merged this for jessie and stretch, too. See attached debdiffs. Want me
> > to upload for a DSA?
> 
> This doesn't warrant a DSA, we can either postpone until the next more
> severe graphite vulnerabity or fix it via a point update.

OK.

Regards,

Rene
Reply to: