graphite2: CVE-2018-7999: null pointer dereference in Segment()

Debian Bug report logs - #892590
graphite2: CVE-2018-7999: null pointer dereference in Segment()

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: graphite2: CVE-2018-7999: null pointer dereference in Segment()

Date: Sun, 11 Mar 2018 08:43:32 +0100

Source: graphite2
Version: 1.3.10-8
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/silnrsi/graphite/issues/22
Control: found -1 1.3.11-1

Hi,

the following vulnerability was published for graphite2.

CVE-2018-7999[0]:
| In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference
| vulnerability was found in Segment.cpp during a dumbRendering
| operation, which may allow attackers to cause a denial of service or
| possibly have unspecified other impact via a crafted .ttf file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-7999
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7999
[1] https://github.com/silnrsi/graphite/issues/22

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 892590-submitter@bugs.debian.org (full text, mbox, reply):

From: rene@rene-engelhard.de

To: 892590-submitter@bugs.debian.org

Subject: Bug #892590 in graphite2 marked as pending

Date: Sun, 11 Mar 2018 12:26:38 +0000

Control: tag -1 pending

Hello,

Bug #892590 in graphite2 reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:

https://salsa.debian.org/libreoffice-team/graphite2/commit/be3be5c0d22bd4d80978be69d99dbfd4bc83ad8d

------------------------------------------------------------------------
backport upstream commit db132b4731a9b4c9534144ba3a18e65b390e9ff6 to fix CVE-2018-7999 (closes: #892590)

------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/892590

Message #19 received at 892590@bugs.debian.org (full text, mbox, reply):

From: Rene Engelhard <rene@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 892590@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#892590: graphite2: CVE-2018-7999: null pointer dereference in Segment()

Date: Sun, 11 Mar 2018 14:02:22 +0100

[Message part 1 (text/plain, inline)]

Hi,

On Sun, Mar 11, 2018 at 08:43:32AM +0100, Salvatore Bonaccorso wrote:
> CVE-2018-7999[0]:
> | In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference
> | vulnerability was found in Segment.cpp during a dumbRendering
> | operation, which may allow attackers to cause a denial of service or
> | possibly have unspecified other impact via a crafted .ttf file.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2018-7999
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7999
> [1] https://github.com/silnrsi/graphite/issues/22

upstream fix backported. Uploaded to sid.

Merged this for jessie and stretch, too. See attached debdiffs. Want me
to upload for a DSA?

(for the jessie branch I also had a embarassing typo fix pending.
Included. If I should remove that one I can, though, too)

Regards,

Rene

[stretch.debdiff (text/plain, attachment)]

[jessie.debdiff (text/plain, attachment)]

Message #22 received at 892590-submitter@bugs.debian.org (full text, mbox, reply):

From: rene@rene-engelhard.de

To: 892590-submitter@bugs.debian.org

Subject: Bug #892590 in graphite2 marked as pending

Date: Sun, 11 Mar 2018 13:02:37 +0000

Control: tag -1 pending

Hello,

Bug #892590 in graphite2 reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:

https://salsa.debian.org/libreoffice-team/graphite2/commit/cddea134d89f56911f6817c69d19ac2866a5da5d

------------------------------------------------------------------------
backport upstream commit db132b4731a9b4c9534144ba3a18e65b390e9ff6 to fix CVE-2018-7999 (closes: #892590)

------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/892590

Message #25 received at 892590-submitter@bugs.debian.org (full text, mbox, reply):

From: rene@rene-engelhard.de

To: 892590-submitter@bugs.debian.org

Subject: Bug #892590 in graphite2 marked as pending

Date: Sun, 11 Mar 2018 13:02:38 +0000

Control: tag -1 pending

Hello,

Bug #892590 in graphite2 reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:

https://salsa.debian.org/libreoffice-team/graphite2/commit/cddea134d89f56911f6817c69d19ac2866a5da5d

------------------------------------------------------------------------
backport upstream commit db132b4731a9b4c9534144ba3a18e65b390e9ff6 to fix CVE-2018-7999 (closes: #892590)

------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/892590

Message #30 received at 892590-close@bugs.debian.org (full text, mbox, reply):

From: Rene Engelhard <rene@debian.org>

To: 892590-close@bugs.debian.org

Subject: Bug#892590: fixed in graphite2 1.3.11-2

Date: Sun, 11 Mar 2018 13:06:20 +0000

Source: graphite2
Source-Version: 1.3.11-2

We believe that the bug you reported is fixed in the latest version of
graphite2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 892590@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Rene Engelhard <rene@debian.org> (supplier of updated graphite2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 11 Mar 2018 13:22:48 +0100
Source: graphite2
Binary: libgraphite2-3 libgraphite2-dev libgraphite2-doc libgraphite2-utils
Architecture: source
Version: 1.3.11-2
Distribution: unstable
Urgency: medium
Maintainer: Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
Changed-By: Rene Engelhard <rene@debian.org>
Description:
 libgraphite2-3 - Font rendering engine for Complex Scripts -- library
 libgraphite2-dev - Development files for libgraphite2
 libgraphite2-doc - Documentation for libgraphite2
 libgraphite2-utils - Font rendering engine for Complex Scripts -- utilities
Closes: 892590
Changes:
 graphite2 (1.3.11-2) unstable; urgency=medium
 .
   * backport upstream commit db132b4731a9b4c9534144ba3a18e65b390e9ff6
     to fix CVE-2018-7999 (closes: #892590)
Checksums-Sha1:
 c54f5403a152c1c46a9b9c47d737dc54cd7c6934 2367 graphite2_1.3.11-2.dsc
 6af74012e1ee2e3bbbe37bf566e813c9071c4329 14068 graphite2_1.3.11-2.debian.tar.xz
 23f1fa1688b07a3e73b98713531a4f84a156fce9 5888 graphite2_1.3.11-2_source.buildinfo
Checksums-Sha256:
 3c2f5ed2b6021e9a18456215d5d01354434f14577dbc862f7f53c8ce62200d71 2367 graphite2_1.3.11-2.dsc
 c47ef4ae6edfa6ce02483f347e67786b0fce089515087370ccc10f22ad711f90 14068 graphite2_1.3.11-2.debian.tar.xz
 ff13382914e545994b7545f55ec1f7debe28ea2c00358f3835147c1531e8c64a 5888 graphite2_1.3.11-2_source.buildinfo
Files:
 e3e86f9fc17231443ac44d37858c3df6 2367 libs optional graphite2_1.3.11-2.dsc
 6cae45b9d01aca8ef59bd1c85a6c31f3 14068 libs optional graphite2_1.3.11-2.debian.tar.xz
 d55af4850dfc6797e1d678784232ede7 5888 libs optional graphite2_1.3.11-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE4S3qRnUGcM+pYIAdCqBFcdA+PnAFAlqlI8wACgkQCqBFcdA+
PnDYvg//VGUmGJgACNWYFP8mTGxb0qvuLrTjypu2paCABxO3u74WnLJXkmjtEdl5
wY1p4Nnzhr1xeXdTo3kDVJcwSgCAoXK5O2HXMSQeV7o+r3IXfLVJxnFY6c9PeamB
YMJ9PWP6gfprUylSjZzGz3M5r4J+UwchuIShsqO1zGqAUEZDxO90d8pkQKsMLGks
4+Jl4Tb37zX7QqpQhyHJSDt9Ll/OWVAJrkfs276y+vLf7WjZmdgyvea9YLgnl9Op
slnAUpRFD4aDymPfMN3hDtrefi0h8zIXrms9VsBWBRJ8Y9/A4AH5GUa6ub9I1H1u
YXcbyWdzlbskTQ7YEBXRWZLXkOJW1xNtBvVch4uwvOstx8u8j9dH4OP6RiZlZXqV
kmJLTKuA2sEnD3CdR+qRXRRuEWQK+UUONmXGIAVWuxSWMTKxDcha2k+x8UXD2J6w
beCKW/XqfUM4Xj7EMRyBe95y+1t+nsJ8ACQlVqUOAwQTpAqqNZkxaOupKUill3hi
njZFQN5psm+7/AKjbcxJlgYmPQ4Cd41aaGbpuCysoUE0zqIT0fzdLijpSzUq0Sha
MeKCYb1ksIyK4J/yJDVlPSHjQ4a7wfQeARPk5SnaxeQrJOxwO12wwQSvy0n1UXvO
HwgxpV/liiNSHSSi5EivDRoQ5vhEqI90QXV1hJuymjerdWNBfo8=
=eLJq
-----END PGP SIGNATURE-----

Message #35 received at 892590@bugs.debian.org (full text, mbox, reply):

From: Rene Engelhard <rene@rene-engelhard.de>

To: Salvatore Bonaccorso <carnil@debian.org>, 892590@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#892590: graphite2: CVE-2018-7999: null pointer dereference in Segment()

Date: Sun, 11 Mar 2018 14:22:24 +0100

[Message part 1 (text/plain, inline)]

Hi,

On Sun, Mar 11, 2018 at 02:02:22PM +0100, Rene Engelhard wrote:
> On Sun, Mar 11, 2018 at 08:43:32AM +0100, Salvatore Bonaccorso wrote:
> > CVE-2018-7999[0]:
> > | In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference
> > | vulnerability was found in Segment.cpp during a dumbRendering
> > | operation, which may allow attackers to cause a denial of service or
> > | possibly have unspecified other impact via a crafted .ttf file.
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] https://security-tracker.debian.org/tracker/CVE-2018-7999
> >     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7999
> > [1] https://github.com/silnrsi/graphite/issues/22
> 
> upstream fix backported. Uploaded to sid.
> 
> Merged this for jessie and stretch, too. See attached debdiffs. Want me
> to upload for a DSA?
> 
> (for the jessie branch I also had a embarassing typo fix pending.
> Included. If I should remove that one I can, though, too)

I'll remove that one, since stretch doesn't have it done either...

New diff attached.

Regards,
 
Rene

[jessie.debdiff (text/plain, attachment)]

Message #40 received at 892590@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Rene Engelhard <rene@debian.org>

Cc: 892590@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#892590: graphite2: CVE-2018-7999: null pointer dereference in Segment()

Date: Sun, 11 Mar 2018 18:56:30 +0100

On Sun, Mar 11, 2018 at 02:02:22PM +0100, Rene Engelhard wrote:
> Hi,
> 
> On Sun, Mar 11, 2018 at 08:43:32AM +0100, Salvatore Bonaccorso wrote:
> > CVE-2018-7999[0]:
> > | In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference
> > | vulnerability was found in Segment.cpp during a dumbRendering
> > | operation, which may allow attackers to cause a denial of service or
> > | possibly have unspecified other impact via a crafted .ttf file.
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] https://security-tracker.debian.org/tracker/CVE-2018-7999
> >     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7999
> > [1] https://github.com/silnrsi/graphite/issues/22
> 
> upstream fix backported. Uploaded to sid.
> 
> Merged this for jessie and stretch, too. See attached debdiffs. Want me
> to upload for a DSA?

This doesn't warrant a DSA, we can either postpone until the next more
severe graphite vulnerabity or fix it via a point update.

Cheers,
        Moritz

Message #45 received at 892590@bugs.debian.org (full text, mbox, reply):

From: Rene Engelhard <rene@debian.org>

To: Moritz Mühlenhoff <jmm@inutil.org>

Cc: 892590@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#892590: graphite2: CVE-2018-7999: null pointer dereference in Segment()

Date: Sun, 11 Mar 2018 19:07:21 +0100

Hi,

On Sun, Mar 11, 2018 at 06:56:30PM +0100, Moritz Mühlenhoff wrote:
> On Sun, Mar 11, 2018 at 02:02:22PM +0100, Rene Engelhard wrote:
> > Hi,
> > 
> > On Sun, Mar 11, 2018 at 08:43:32AM +0100, Salvatore Bonaccorso wrote:
> > > CVE-2018-7999[0]:
> > > | In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference
> > > | vulnerability was found in Segment.cpp during a dumbRendering
> > > | operation, which may allow attackers to cause a denial of service or
> > > | possibly have unspecified other impact via a crafted .ttf file.
> > > 
> > > If you fix the vulnerability please also make sure to include the
> > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > > 
> > > For further information see:
> > > 
> > > [0] https://security-tracker.debian.org/tracker/CVE-2018-7999
> > >     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7999
> > > [1] https://github.com/silnrsi/graphite/issues/22
> > 
> > upstream fix backported. Uploaded to sid.
> > 
> > Merged this for jessie and stretch, too. See attached debdiffs. Want me
> > to upload for a DSA?
> 
> This doesn't warrant a DSA, we can either postpone until the next more
> severe graphite vulnerabity or fix it via a point update.

OK.

Regards,

Rene

Message #50 received at 892590@bugs.debian.org (full text, mbox, reply):

From: Abhijith PA <abhijith@disroot.org>

To: 892590@bugs.debian.org

Cc: Debian LTS <debian-lts@lists.debian.org>

Subject: Review graphite2

Date: Sun, 18 Mar 2018 11:39:57 +0530

[Message part 1 (text/plain, inline)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello.

I prepared LTS security update for graphite2[1]. Debdiff is attached.
All tests ran successfully. Please review.



- -abhijith

[1]
https://mentors.debian.net/debian/pool/main/g/graphite2/graphite2_1.3.10
- -1~deb7u2.dsc
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlquArUACgkQhj1N8u2c
KO8j3A//QeA2nOPNG/j2GJ+j+LSKWRt/khRoL2vY2YpXcIRCJSACCVZT+LqOezLF
BfMTa6TEeu9zXfRQpuAoHBZtOmSbPaldi6flT5eJ469mF/tqBY7Bdx7us5/bmni0
YxAz7tYp6oU3hBUz2HqEgH293cm7+wG7mLjSGG5EVcuFCIwRud0Y7/s0YQV7/xJ6
9YBUnzUPCZ/h0jcZNXpUmo2QWtvvaFj1vg5KQQ3JvKGGdVly9cJse+E1Z8FLih46
4ZNCNMjF3AWnn2MyVk1b9Ej8kr69CsrZqxkRpnVovsg2N7VUuwp+SiYndlBfqTvu
MIr84/NPfCG9F7V8kyO486QRsB8fHYGA4+HnTL/iGZYgEIeRJgIyAQqaOGRhhrgU
NASuJydVTtRiVQuL9mrx/S6lfUFTaYRRGMm7SagDxeHN1wR1SuXxjwm4LOqrRzHD
eR4AxYJmnu9iMZkYaYIsy9VfdimAF63l8mCfVEede1zuug12YunWjUQkZA1xRnjM
xD67lo2RQWx6FMb7uiLt6/EUP6VouXoVJi2jt/BBpXgx66gWLQOb2xvDQAI3pQP2
C4AbI9H+Uvyjbcufe1GusKXkBGvny3LWkQiAwuScfkUMNlhemSsc83wy4jRTgRyb
NGfWN85t8eQMlrviVhdZz0YcFjBMRx5qe9iA+nUL5eANbKSz2RY=
=SOWG
-----END PGP SIGNATURE-----

[graphite2_deb7u2.debdiff (text/plain, attachment)]

[graphite2_deb7u2.debdiff.sig (application/pgp-signature, attachment)]

Message #55 received at 892590@bugs.debian.org (full text, mbox, reply):

From: Rene Engelhard <rene@debian.org>

To: Abhijith PA <abhijith@disroot.org>, 892590@bugs.debian.org

Cc: Debian LTS <debian-lts@lists.debian.org>

Subject: Re: Bug#892590: Review graphite2

Date: Mon, 19 Mar 2018 16:23:40 +0100

On Sun, Mar 18, 2018 at 11:39:57AM +0530, Abhijith PA wrote:
> I prepared LTS security update for graphite2[1]. Debdiff is attached.
> All tests ran successfully. Please review.

Why would we need one given for jessie and stretch it is clearly marked
as no-DSA?

https://security-tracker.debian.org/tracker/source-package/graphite2

I think we don't and shouldn't do this.

Regards,

Rene

Message #60 received at 892590@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: Rene Engelhard <rene@debian.org>

Cc: Abhijith PA <abhijith@disroot.org>, 892590@bugs.debian.org, Debian LTS <debian-lts@lists.debian.org>

Subject: Re: Bug#892590: Review graphite2

Date: Mon, 19 Mar 2018 16:43:51 +0100

[Message part 1 (text/plain, inline)]

Hi,

Am 19.03.2018 um 16:23 schrieb Rene Engelhard:
> On Sun, Mar 18, 2018 at 11:39:57AM +0530, Abhijith PA wrote:
>> I prepared LTS security update for graphite2[1]. Debdiff is attached.
>> All tests ran successfully. Please review.
> 
> Why would we need one given for jessie and stretch it is clearly marked
> as no-DSA?
> 
> https://security-tracker.debian.org/tracker/source-package/graphite2
> 
> I think we don't and shouldn't do this.
> 
> Regards,
> 
> Rene

No-dsa means that the security team won't handle it but it is still a
bug which can and should be fixed via a point update.

Regards,

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #65 received at 892590@bugs.debian.org (full text, mbox, reply):

From: Rene Engelhard <rene@debian.org>

To: Markus Koschany <apo@debian.org>

Cc: Abhijith PA <abhijith@disroot.org>, 892590@bugs.debian.org, Debian LTS <debian-lts@lists.debian.org>

Subject: Re: Bug#892590: Review graphite2

Date: Mon, 19 Mar 2018 17:04:17 +0100

Hi,

On Mon, Mar 19, 2018 at 04:43:51PM +0100, Markus Koschany wrote:
> Am 19.03.2018 um 16:23 schrieb Rene Engelhard:
> > On Sun, Mar 18, 2018 at 11:39:57AM +0530, Abhijith PA wrote:
> >> I prepared LTS security update for graphite2[1]. Debdiff is attached.
> >> All tests ran successfully. Please review.
> > 
> > Why would we need one given for jessie and stretch it is clearly marked
> > as no-DSA?
> > 
> > https://security-tracker.debian.org/tracker/source-package/graphite2
> > 
> > I think we don't and shouldn't do this.
> > 
> > Regards,
> > 
> > Rene
> 
> No-dsa means that the security team won't handle it but it is still a
> bug which can and should be fixed via a point update.

This will happen (as Moritz said in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892590#40) when the next
severe issue warranting a DSA comes up.

I am not going over the .-release procedure for this, I'd have uploaded
to security, though, but...

I don't think we should special-case our oldest,
soon-to-be-not-supported release.

Regards,

Rene

Message #70 received at 892590@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Rene Engelhard <rene@debian.org>

Cc: Markus Koschany <apo@debian.org>, Abhijith PA <abhijith@disroot.org>, 892590@bugs.debian.org, Debian LTS <debian-lts@lists.debian.org>

Subject: Re: Bug#892590: Review graphite2

Date: Mon, 19 Mar 2018 21:17:51 +0100

On Mon, Mar 19, 2018 at 05:04:17PM +0100, Rene Engelhard wrote:
> I am not going over the .-release procedure for this, I'd have uploaded
> to security, though, but...
> 
> I don't think we should special-case our oldest,
> soon-to-be-not-supported release.

Agreed, it doesn't make sense to fix this bug on it's own. We can
simply piggyback it on the next more severe graphite update.

Cheers,
        Moritz

Send a report that this bug log contains spam.