Security update for graphite2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:1149-1 Final 1 1 2017-05-02T14:45:22Z current 2017-05-02T14:45:22Z 2017-05-02T14:45:22Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for graphite2 This update for graphite2 fixes one issue. This security issues was fixed: - CVE-2017-5436: An out-of-bounds write triggered with a maliciously crafted Graphite font could lead to a crash or potentially code execution (bsc#1035204). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-DESKTOP-12-SP1-2017-668,SUSE-SLE-DESKTOP-12-SP2-2017-668,SUSE-SLE-RPI-12-SP2-2017-668,SUSE-SLE-SDK-12-SP1-2017-668,SUSE-SLE-SDK-12-SP2-2017-668,SUSE-SLE-SERVER-12-SP1-2017-668,SUSE-SLE-SERVER-12-SP2-2017-668 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20171149-1/ Link for SUSE-SU-2017:1149-1 https://lists.suse.com/pipermail/sle-security-updates/2017-May/002840.html E-Mail link for SUSE-SU-2017:1149-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1035204 SUSE Bug 1035204 https://www.suse.com/security/cve/CVE-2017-5436/ SUSE CVE CVE-2017-5436 page SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Software Development Kit 12 SP1 SUSE Linux Enterprise Software Development Kit 12 SP2 libgraphite2-3-1.3.1-9.1 libgraphite2-3-32bit-1.3.1-9.1 graphite2-devel-1.3.1-9.1 libgraphite2-3-1.3.1-9.1 as a component of SUSE Linux Enterprise Desktop 12 SP1 libgraphite2-3-32bit-1.3.1-9.1 as a component of SUSE Linux Enterprise Desktop 12 SP1 libgraphite2-3-1.3.1-9.1 as a component of SUSE Linux Enterprise Desktop 12 SP2 libgraphite2-3-32bit-1.3.1-9.1 as a component of SUSE Linux Enterprise Desktop 12 SP2 libgraphite2-3-1.3.1-9.1 as a component of SUSE Linux Enterprise Server 12 SP1 libgraphite2-3-32bit-1.3.1-9.1 as a component of SUSE Linux Enterprise Server 12 SP1 libgraphite2-3-1.3.1-9.1 as a component of SUSE Linux Enterprise Server 12 SP2 libgraphite2-3-32bit-1.3.1-9.1 as a component of SUSE Linux Enterprise Server 12 SP2 libgraphite2-3-1.3.1-9.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 libgraphite2-3-1.3.1-9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 libgraphite2-3-32bit-1.3.1-9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 libgraphite2-3-1.3.1-9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 libgraphite2-3-32bit-1.3.1-9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 graphite2-devel-1.3.1-9.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP1 graphite2-devel-1.3.1-9.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 An out-of-bounds write in the Graphite 2 library triggered with a maliciously crafted Graphite font. This results in a potentially exploitable crash. This issue was fixed in the Graphite 2 library as well as Mozilla products. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. CVE-2017-5436 SUSE Linux Enterprise Desktop 12 SP1:libgraphite2-3-1.3.1-9.1 SUSE Linux Enterprise Desktop 12 SP1:libgraphite2-3-32bit-1.3.1-9.1 SUSE Linux Enterprise Desktop 12 SP2:libgraphite2-3-1.3.1-9.1 SUSE Linux Enterprise Desktop 12 SP2:libgraphite2-3-32bit-1.3.1-9.1 SUSE Linux Enterprise Server 12 SP1:libgraphite2-3-1.3.1-9.1 SUSE Linux Enterprise Server 12 SP1:libgraphite2-3-32bit-1.3.1-9.1 SUSE Linux Enterprise Server 12 SP2:libgraphite2-3-1.3.1-9.1 SUSE Linux Enterprise Server 12 SP2:libgraphite2-3-32bit-1.3.1-9.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libgraphite2-3-1.3.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libgraphite2-3-1.3.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libgraphite2-3-32bit-1.3.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:libgraphite2-3-1.3.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:libgraphite2-3-32bit-1.3.1-9.1 SUSE Linux Enterprise Software Development Kit 12 SP1:graphite2-devel-1.3.1-9.1 SUSE Linux Enterprise Software Development Kit 12 SP2:graphite2-devel-1.3.1-9.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20171149-1/ https://www.suse.com/security/cve/CVE-2017-5436.html CVE-2017-5436 https://bugzilla.suse.com/1035082 SUSE Bug 1035082 https://bugzilla.suse.com/1035204 SUSE Bug 1035204