From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 673CB1396D9 for ; Fri, 13 Oct 2017 23:46:00 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id AFD54E0ED8; Fri, 13 Oct 2017 23:38:40 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id F3EA1E0EB5 for ; Fri, 13 Oct 2017 23:37:59 +0000 (UTC) Received: from localhost.localdomain (wsip-98-173-47-85.sd.sd.cox.net [98.173.47.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: bman) by smtp.gentoo.org (Postfix) with ESMTPSA id 3790633BEC0 for ; Fri, 13 Oct 2017 23:37:59 +0000 (UTC) From: Aaron Bauman To: gentoo-announce@lists.gentoo.org Reply-To: security@gentoo.org Subject: [gentoo-announce] [ GLSA 201710-13 ] Graphite: Multiple vulnerabilities Date: Fri, 13 Oct 2017 19:37:56 -0400 Message-ID: <2026640.rJj3bpnnOh@localhost.localdomain> Organization: Gentoo Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2698288.YnuSmxqr3p"; micalg="pgp-sha256"; protocol="application/pgp-signature" X-Archives-Salt: 8d6c1d60-7b1d-40c1-ae60-b3cd630dd5b9 X-Archives-Hash: ec52375b13fbcc182639d837f48240b0 --nextPart2698288.YnuSmxqr3p Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" =2D - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201710-13 =2D - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ =2D - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Graphite: Multiple vulnerabilities Date: October 13, 2017 Bugs: #621724 ID: 201710-13 =2D - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis =3D=3D=3D=3D=3D=3D=3D=3D Multiple vulnerabilities have been found in Graphite, the worst of which could lead to the remote execution of arbitrary code. Background =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Graphite is a =E2=80=9Csmart font=E2=80=9D system developed specifically to= handle the complexities of lesser-known languages of the world. Affected packages =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 media-gfx/graphite2 < 1.3.10 >=3D 1.3.10=20 Description =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Multiple vulnerabilities have been discovered in Graphite. Please review the referenced CVE identifiers for details. Impact =3D=3D=3D=3D=3D=3D A remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, or have other unspecified impacts. Workaround =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D There is no known workaround at this time. Resolution =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D All Graphite users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=3Dmedia-gfx/graphite2-1.3.10" References =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D [ 1 ] CVE-2017-7771 https://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2017-7771 [ 2 ] CVE-2017-7772 https://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2017-7772 [ 3 ] CVE-2017-7773 https://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2017-7773 [ 4 ] CVE-2017-7774 https://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2017-7774 [ 5 ] CVE-2017-7775 https://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2017-7775 [ 6 ] CVE-2017-7776 https://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2017-7776 [ 7 ] CVE-2017-7777 https://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2017-7777 [ 8 ] CVE-2017-7778 https://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2017-7778 Availability =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201710-13 Concerns? =3D=3D=3D=3D=3D=3D=3D=3D=3D Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License =3D=3D=3D=3D=3D=3D=3D Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 --nextPart2698288.YnuSmxqr3p Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEEiDRK3jyVBE/RkymqpRQw84X1dt0FAlnhTlQACgkQpRQw84X1 dt1Nrwf/Yh08rkHfmH3kHD/dKwSd/YUOmf7TU0keOkw3Z6Tm6mKbHFNJ7kItZN6e mp4+EoabGeydoVjIO1FNQkLXngA2WvdJJtibZopeLsXfHbg0tOqh59v873+wFdKF ik79uR8QtOlSwrRqZB5MXCdzLI5dskOCRtTVveJaYbub4YtKEyZyVCuEHpDvRb+a jslzE4zybn4yPArIs0CJ2aBnmifaGPChtOgUjPPI22S4wXOo5VVxNCtIFV/j9UZO Q54xOF/Jwv8kRewGQHuBMuiGeQ9AxI4ZQSv3Vg+MMX07oCAskpzmld0AGS9SqerP 8DrUv26lHdfvx3WXyp8KMg2Mxq7yEA== =Eeed -----END PGP SIGNATURE----- --nextPart2698288.YnuSmxqr3p--