On 02/08/2016 12:30 PM, Dan Mossor wrote:
Greetings,
I was made aware of CVE-2016-1521 this past weekend, and can find no
reference to this CVE in Red Hat Bugzilla, nor has there been a Red
Hat Security Bulletin regarding this.
I consider this CVE to be critical as it requires zero action on the
part of the user. It can be spread through malvertising, or a minor
hack to a website that calls a 3rd party CSS file.
The Graphite developers released an update in January, but have not
specifically addressed this CVE. Can you provide a statement stating
whether it has been fixed or not?
References:
http://www.talosintel.com/reports/TALOS-2016-0058/
http://news.softpedia.com/news/vulnerability-in-font-processing-library-a...
Regards,
Dan Mossor
Here take a look here, just came into the Fedora BugZilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1305814
https://bugzilla.redhat.com/show_bug.cgi?id=1305811
https://bugzilla.redhat.com/show_bug.cgi?id=1305806
And RedHat alert:
https://access.redhat.com/security/cve/CVE-2016-1521
Unfortunately there isn't much info. It looks like it may not have been
communicated to RedHat before this.
It's also in the broader news now:
http://www.theregister.co.uk/2016/02/09/libgraphite_font_library_buggy_an...
Sounds like it's not just limited to Linux either.
Hopefully we'll get something official soon.
-David