Bugzilla – Bug 963436
VUL-1: CVE-2016-2052: harfbuzz: Multiple unspecified vulnerabilities in HarfBuzz before 1.0.6
Last modified: 2017-09-15 10:20:32 UTC
Multiple unspecified vulnerabilities in HarfBuzz before 1.0.6, as used in Google Chrome before 48.0.2564.82, allow attackers to cause a denial of service or possibly have other impact via unknown vectors. References: https://bugzilla.redhat.com/show_bug.cgi?id=1301553 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2052 https://code.google.com/p/chromium/issues/detail?id=544270
SLE 12: 0.9.26 openSUSE 13.2: 0.9.35 Leap: 1.0.3
bugbot adjusting priority
I looked at the git repo and found that they somewhat recently started using libfuzz for testing, and there are several fixes for things that could cause out-of-bounds memory access and the like. I presume this is why chromium decided to upgrade. I looked through recent commits for things that fix crashes or memory access issues, although I haven't yet checked whether all of them apply to the versions in SLE: c91796 26ba4d f396fb ee9b0b f96664 63ef0b and a couple from before 1.0.3: 1aaa7d f1c20e 163c43
Most of these commits don't apply cleanly on 0.9.27. See also https://github.com/behdad/harfbuzz/issues/139
This is an autogenerated message for OBS integration: This bug (963436) was mentioned in https://build.opensuse.org/request/show/417912 13.2 / harfbuzz https://build.opensuse.org/request/show/417913 42.1 / harfbuzz
This is an autogenerated message for OBS integration: This bug (963436) was mentioned in https://build.opensuse.org/request/show/417938 42.1 / harfbuzz
openSUSE-SU-2016:2082-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 963436,989564 CVE References: CVE-2015-8947,CVE-2016-2052 Sources used: openSUSE Leap 42.1 (src): harfbuzz-1.0.3-4.1 openSUSE 13.2 (src): harfbuzz-0.9.35-2.3.1
QA REPRODUCER: (from skliu testreport http://qam.suse.de/testreports/SUSE:Maintenance:3053:119618/log ) reproducer is from: https://github.com/behdad/harfbuzz/issues/139 Reproducer: echo AAEAAAADgCoAKvwNUEdEKkYAKeAAdAA9AAAAM0dQT1MA1UARAAAAAAoDAAMAAQAEAAgAAgADAAEABAABAA== | base64 --decode > reproducer /usr/src/packages/BUILD/harfbuzz-0.9.26/src/.libs/main reproducer Opened font file reproducer: 61 bytes long OpenType font with TrueType outlines 1 font(s) found in file Font 0 of 1: 3 table(s) found in font Table 0 of 3: PGD* (0x0074003d+0x00000033) Table 1 of 3: GPOS (0x00000000+0x0a030003) 0 script(s) found in table Segmentation fault
(this reproducer seems to be unfixed still)
(In reply to Marcus Meissner from comment #11) > (this reproducer seems to be unfixed still) It's a different segfault that still happens with the code from master. Looking at main.cc, it uses what I think is private API and doesn't appear to do much to sanitize the data passed to it. So I'm not sure if a crash from main.cc is necessarily indicative of a real-world problem that could show up using the public API, but I've asked the up-stream maintainer for his opinion. I was testing using libfuzzer, although I needed to adapt LLVMFuzzerTestOneInput() slightly to remove a call to a function that doesn't exist in older versions of harfbuzz.
I got this reply from Behdad: "You are correct: main.cc does not sanitizer, and can be ignored for these purposes. Not that there are two other assertion failures I have reported that I need to fix. But they are not invalid memory access." Building an executable using libfuzzer would probably be the best way to test these fixes. Let me know if you need help.
Just to verify if I understand correctly: You are saying that the particular issue found to be not fixed is known to be not fixed upstream, is not cause of concern, and that the particular item should be passed? If so, is there an adjusted reproducer for the issues that are fixed?
main.cc uses an internal API and does not sanitize the data passed to it, so, if it crashes, then it doesn't necessarily mean that an external program would similarly crash. The reproducers should be tested using public API that an external caller might use. I'll attach the fuzzer that I was using to test (it's a backport of the code from git).
Created attachment 695779 [details] Fuzzer.
SUSE-SU-2017:1821-1: An update that solves 7 vulnerabilities and has 14 fixes is now available. Category: security (moderate) Bug References: 1015115,1015118,1015360,1017925,1021369,1021373,1028817,1034192,1034329,1034568,1035087,1036975,1042828,948058,959926,962777,963436,972777,975283,976831,989564 CVE References: CVE-2015-8947,CVE-2016-10327,CVE-2016-2052,CVE-2017-7870,CVE-2017-7882,CVE-2017-8358,CVE-2017-9433 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP2 (src): libixion-0.12.1-12.1, libmwaw-0.3.11-9.1, liborcus-0.12.1-12.1, libreoffice-5.3.3.2-40.5.9, libstaroffice-0.0.3-2.1, libzmf-0.0.1-2.1, myspell-dictionaries-20170511-15.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): libixion-0.12.1-12.1, libmwaw-0.3.11-9.1, liborcus-0.12.1-12.1, libreoffice-5.3.3.2-40.5.9 SUSE Linux Enterprise Desktop 12-SP2 (src): libixion-0.12.1-12.1, libmwaw-0.3.11-9.1, liborcus-0.12.1-12.1, libreoffice-5.3.3.2-40.5.9, libstaroffice-0.0.3-2.1, libzmf-0.0.1-2.1, myspell-dictionaries-20170511-15.1
fixed (newer versions in every maintained product)
SUSE-SU-2017:2315-1: An update that solves 7 vulnerabilities and has 19 fixes is now available. Category: security (moderate) Bug References: 1015115,1015118,1015360,1017925,1021369,1021373,1021675,1028817,1034192,1034329,1034568,1035087,1035589,1036975,1042828,1045339,947117,948058,954776,959926,962777,963436,972777,975283,976831,989564 CVE References: CVE-2015-8947,CVE-2016-10327,CVE-2016-2052,CVE-2017-7870,CVE-2017-7882,CVE-2017-8358,CVE-2017-9433 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP3 (src): libixion-0.12.1-13.2.1, libmwaw-0.3.11-7.5.1, liborcus-0.12.1-10.5.1, libreoffice-5.3.5.2-43.5.4, libstaroffice-0.0.3-4.1, libzmf-0.0.1-4.1, myspell-dictionaries-20170511-16.2.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): libixion-0.12.1-13.2.1, libmwaw-0.3.11-7.5.1, liborcus-0.12.1-10.5.1, libreoffice-5.3.5.2-43.5.4 SUSE Linux Enterprise Desktop 12-SP3 (src): libixion-0.12.1-13.2.1, libmwaw-0.3.11-7.5.1, liborcus-0.12.1-10.5.1, libreoffice-5.3.5.2-43.5.4, libstaroffice-0.0.3-4.1, libzmf-0.0.1-4.1, myspell-dictionaries-20170511-16.2.1
openSUSE-SU-2017:2488-1: An update that solves 7 vulnerabilities and has 19 fixes is now available. Category: security (moderate) Bug References: 1015115,1015118,1015360,1017925,1021369,1021373,1021675,1028817,1034192,1034329,1034568,1035087,1035589,1036975,1042828,1045339,947117,948058,954776,959926,962777,963436,972777,975283,976831,989564 CVE References: CVE-2015-8947,CVE-2016-10327,CVE-2016-2052,CVE-2017-7870,CVE-2017-7882,CVE-2017-8358,CVE-2017-9433 Sources used: openSUSE Leap 42.3 (src): libreoffice-5.3.5.2-3.4 openSUSE Leap 42.2 (src): libreoffice-5.3.5.2-18.9.4