Vulnerability In Font Processing Library Affects Linux, OpenOffice, Firefox

An anonymous reader writes: If an application can embed fonts with special characters, then it's probably using the Graphite font processing library. This library has several security issues which an attacker can leverage to take control of your OS via remote code execution scenarios. The simple attack would be to deliver a malicious font via a Web page's CSS. The malformed font loads in Firefox, triggers the RCE exploit, and voila, your PC has a hole inside through which malware can creep in.

Current version of Firefox is not vulnerable

Known Vulnerable Versions:
Libgraphite 2-1.2.4
Firefox 31-42

source: http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html

Re:Current version of Firefox is not vulnerable

Yes, Firefox fixed this issue in 44.0.2, released last Thursday. Weirdly, when I checked that page Thursday it did not mention a thing about the graphite vulnerability. It was added today: https://www.mozilla.org/en-US/...

Re:Current version of Firefox is not vulnerable

[buchner.johannes]

in the meantime, you can set gfx.font_rendering.graphite.enabled to False

Re:Current version of Firefox is not vulnerable

[thegarbz]

I can't because the most recent Firefox update rendered it completely unusable.

Re:Current version of Firefox is not vulnerable

[BZ]

Firefox fixed this issue in Firefox 43, not in 44.0.2. In particular, it was "fixed" in Firefox by updating to a version of libgraphite that did not have the problem, and this happend before the issue was even reported to libgraphite.

Hence no CVE for Firefox 43 or 44, because they were never vunerable, and no CVE for Firefox 42, because it was long-superseded by the time the vulnerability was even reported.

The CVE, if you note, is for Firefox 38 ESR, which _was_ vulnerable until the 38.6.1 release.

Re:Current version of Firefox is not vulnerable

Then you're fine. That workaround was for if you don't have the latest Firefox update. If you do then you're not affected in the first place.

Another buffer overflow

[buchner.johannes]

If only systems and programming languages had been developed that eradicated an entire class of software bugs.

Can I haz SELinux + grsecurity in all major distributions by default plz.

Re:Another buffer overflow

Can I haz SELinux + grsecurity in all major distributions by default plz.

Of course that wouldn't protect Windows, which is also affected by this and is conveniently left out of the summary. Actually, it doesn't impact linux or windows. It impacts applications that run on them that enable smart fonts using graphite. If you haven't turned on this capability or if you turn it off, you aren't impacted at all. Good news is that it has already been fixed in the latest release of graphite in January.

Re:Another buffer overflow

As seen with SELinux, all you get is the majority using selinux=0 as a boot option when problems arise or they can't figure out how to reconfigure SELinux to allow a port number change.

Re:Another buffer overflow

Ironically, Mozilla are among the only ones who developed a language to try to get rid of these kinds of problems, but almost nobody knows or cares.

Re:Another buffer overflow

We all know about Rust. We know its syntax is a step backward from C, C++, Java, C#, and even PHP. We know its resource management approach is confusing, even when you understand how it works and how to use it. We know there's only one implementation of it, and according to its issue tracker it's really buggy (which is even funnier because the Rust compiler and standard libraries are implemented in Rust and Rust is supposed to have been designed to make bugs less likely!). We know it took them fucking forever get Rust 1.0 out the door, and even then it wasn't stable. We know that it hasn't lived up to the hype since then. We know their leadership includes prominent former Ruby on Railers who jumped ship when it became obvious that RoR was no longer trendy. We know the Rust standard library is quite shitty and lacking. We know that C++ has continued to evolve and can offer pretty much everything Rust offers. We know that the Rust community is quite totalitarian, with an intolerant code of conduct and a mod team to take out anyone they don't like. We question Mozilla's future, seeing as how Firefox's market share is dropping like a rock thanks to Mozilla treating its users so badly and subjecting them to so many unwanted changes in Firefox, and Firefox is really Mozilla's only product that sees use these days. We know that the Servo project, which is written in Rust, is going nowhere. We ignore Rust because it just isn't a viable option!

Re:Another buffer overflow

[PPH]

Mozilla are

Mozilla is
or
Mozilli are

Re:Another buffer overflow

[JustAnotherOldGuy]

Mozilla is

or

Mozilli are

It depends on whether you're treating "Mozilla" as a countable or uncountable noun, e.g. "bottles of milk" versus "milk". That is, as a collective versus an individual reference.

Re:Another buffer overflow

[unity]

I was not aware of any of that; but knowing is half the battle and now, should I hear about this Rust doohickey I'll know to continue on my way.

Re:Another buffer overflow

does no one else sleep with a pillow over their head to keep the sunlight out of their eyes so they can sleep in? The fact that his wife does not find this suspicious but Alex Jones does tell you all you need to know about this situation.

Re:Another buffer overflow

I get that you clearly have an axe to grind about Rust for some reason, but you have not explained why it isn't viable. It's impossible to take you seriously when you make empty claims about Servo "going nowhere" when components written in Rust for Servo are being added to Firefox as we speak, or that Rust's syntax is "a step backward" from the likes of C++ or PHP, or argue that you might as well use C++ instead, despite the fact that C++ offers too many convenient footguns to make such a thing viable without expensive static analysis tools to make sure you aren't screwing up... which Rust offers built-in as part of the compilation process.

It honestly sounds like you're just unwilling to acknowledge Rust because Mozilla did something to piss you off. Maybe they removed a feature from Firefox you don't like, or maybe you just think they should have pushed Rust out the door faster than any other advanced language, or maybe you just don't like some people working on Rust or at Mozilla. At any rate, you are doing a piss poor job of convincing anybody as to what Rust's actual flaws are. The standard library not being as mature as the ones in older languages? That's really the only substantive thing you've mentioned here that doesn't smack of petty sensationalism.

Re:Another buffer overflow

Ignoring Java and C#. Ignoring C++2001 TR1, 2011, and 2014 (and boost). Ignoring Google's Go, objective-c, and Apple's swift.

Yeah, if you ignore all those project, then sure, Mozilla is totally among the very few doing new language design to eliminate memory issues.

Re:Another buffer overflow

[armanox]

Can I haz SELinux + grsecurity in all major distributions by default plz.

Red Hat and Fedora based distributions ship with SELinux set to enforcing by default, so most corporate/government installs should be convered.

Re:Another buffer overflow

Clearly a Freddy Kruger-esque dream version of Dick Cheney killed him in his sleep...

Re:But this is open source, right?

your eyes are not open source, they are processing fonts, and they are vulnerable

Re:But this is open source, right?

The reported vulnerability is also present in Windows⦠As soon as you use the windows version of firefox.

According to my package manager for Mint

libgraphite is used by libreoffice, grcompiler, texlive-binaries, fonts-sil-padauk.

I have no doubt a more forward looking distro like Fedora or Arch will have more applications that include libgraphite/silgraphite as a dependency. Sadly I can't verify dependants from here: https://apps.fedoraproject.org/packages/graphite2/

Re:This proves we need to start using Rust.

You need to get with the times. Most public and private entities have codes of conduct.

And my pickup truck has been using Rust for years.

gfx.font_rendering.graphite.enabled

Just desactivate the graphite thing in firefox (if you are using one of the vulnerable verions, 11-42) and you are done.

Re:gfx.font_rendering.graphite.enabled

[gustygolf]

Or disable web fonts. No attack vector that way.

gfx.downloadable_fonts.enabled = false

Nice font

I like the font they used in the article. Very creative, especially how it included photos of my kids and parts of the social security number

Bad "solution". What about other apps?

What a fucking bad solution. Like the goddamn summary says, other applications are affected. Disabling this in Firefox doesn't do a fucking thing to fix OpenOffice, for instance!

YOU NEED TO UPGRADE THE BUGGY LIBRARY!

YOU NEED TO UPGRADE THE BUGGY LIBRARY!

YOU NEED TO UPGRADE THE BUGGY LIBRARY!

Re:Bad "solution". What about other apps?

What a fucking bad solution. Like the goddamn summary says, other applications are affected. Disabling this in Firefox doesn't do a fucking thing to fix OpenOffice, for instance!

YOU NEED TO UPGRADE THE BUGGY LIBRARY!

YOU NEED TO UPGRADE THE BUGGY LIBRARY!

YOU NEED TO UPGRADE THE BUGGY LIBRARY!

I'm sorry, what do I need to do?

Re:Bad "solution". What about other apps?

YOU NEED TO UPGRADE THE BUGGY LIBRARY

Sorry boss, but I've gotta use so many caps because I am yelling.

Re:Bad "solution". What about other apps?

[PPH]

Well, maybe.

Firefox is uniquely* exposed to this exploit in that an attacker can embed the bad font in a we page. With other applications, one needs to download and install the font as a separate step.

*At least for OpenOffice, I have to download/install fonts. There may exist apps that do this automatically from remote sites. But how an attacker could specify a particular font server from which the app should download their corrupted font is another hoop they would have to jump through.

Re:Bad "solution". What about other apps?

I will upgrade the buggy library (and Firefox) when it shows up in my distro. For now, the only thing to do is spend 10 seconds making your firefox immune to the attack by disabling the feature.

Besides, Firefox is a serious vector, OpenOffice not so much. Injecting characters into a browser can be done automatically and without user knowledge, so the exploit is guaranteed to work even with the most cautious users. To exploit the same vulnerability with OpenOffice, you would need to trick the user into opening a document, so the success rate is necessarily much lower (cautious users don't open random documents).

Re:Bad "solution". What about other apps?

In many word processors, fonts can be embedded into the document, to make sure they render "correctly" . I think OO supports this.

Reweb

I saw this once at Reweb a former client of mine: They were using a font... I forgot the name now... But it was bad as fuck because it was not standard. So, I think everywhere Google put it's finger may be being secretly exploited. Hmpf.

Re:But this is open source, right?

Things like this will happen as long as humans write the code. Whether or not you (or someone else) are free to fix it, is another matter (licensing).

If only...

all of you used $MY_FAVORITE_LANGUAGE which is better than $YOUR_FAVORITE_LANGUAGE. And then $MY_FAVORITE_BLOATED_ACCESS_CONTROL.

Yes, yes. Thankyouverymuch

Re:If only...

No thanks. I'll just keep using $MY_44_YEAR_OLD_PROGRAMMING_LANGUAGE and carefully ignore all progress since then. Memory safety is for the weak!

It almost certainly isn't

If an application can embed fonts with special characters, then it's probably using the Graphite font processing library.

Unless it's a Windows, Mac OS or iOS app that uses the font processing built into the operating system. Which is like 99% of applications.

When you let anyone run code on your machine

This is what happens.

This is why the Web sucks, we mix code and data, and people get owned.

Re: When you let anyone run code on your machine

[firewrought]

This is why the Web sucks, we mix code and data

If this were a JavaScript exploit, you might have a point, but font libraries are just data. While the attack does involve mixing code and data, it's not a fundamental feature of the web that's being exploited. Instead it's the Von Neumann architecture; it's going to apply to any sufficiently complex program that accepts outside data. A better criticism would be to say "this is why c++ sucks... it's hard to write memory-correct code in it".

Re: When you let anyone run code on your machine

Except the CSS you're downloading tells your browser to go and obtain the vulnerable font. Without asking or confirming. Data (the webpage) is executing code on your machine.

Re: When you let anyone run code on your machine

[Hentes]

Unfortunately, fonts aren't just data. This blog post details the exploit, basically a malicious font can compromise the TTF virtual machine.

Re:But this is open source, right?

But what if my DNA has been sequenced and published? Are my eyes open source then?

Hyperbole? Much?

[Viol8]

FTA:

"The worst is an out-of-bounds read bug (CVE-2016-1521) that allows attackers to crash the system"

Err no. It'll crash the browser (or whichever userspace program is using the library). Thats a bit different to crashing the kernel.

Bring back the X Font Server and get off my lawn!

Re:Hyperbole? Much?

Yup, just another bullshit click-bait "article." Shame on the new owners for keeping this editor around. Crap like this should be binned immediately unless it has a proven test cases, and not qualified with vague "maybe", "possible" and imaginary assumptions. This is a tech news site, not scaremongering reddit/twatter/engadget dimsville readers.

Re:Hyperbole? Much?

who says this is a tech news site? it's billed as "stuff" that "matters". not even a hint at who it would "matter" to. it seems to me the "who" is morons, and the "moron" is you, lady.

Re:This proves we need to start using Rust.

a moderation team to enforce that code of conduct.

But the Rust development team is all male! There's only one female name in the 48 names listed.

How can we get the Rust teams' gender ratio to something approaching normal?

Don't let web pages change font

[CanadianMacFan]

I haven't let web pages use different fonts for years. I use a font at a size on my browser that I find easy to read and I found a long time ago that people making pages were trying to change fonts and sizes to things that weren't as easy for me to read. This comes from people who think that they need to have absolute control of how everything is displayed on the page. That was never the intention of how the web was to work.

Re:Don't let web pages change font

But some idiots use fonts as image collections.
So you may end up with squares instead of arrows, icons, etc.

Re:Don't let web pages change font

A friend of mine works at a web services software company that does exactly that. She graduated cum laude and almost all her cow-orkers are university educated people too. But I agree with you, they're still idiots.

Re: But this is open source, right?

Are you sure about that? This was found by a company specialising in automated testing tools that works equally well on closed source (and is much more routinely used by large closed source software companies than in OSS projects).

Re:But this is open source, right?

[Runaway1956]

A: the font isn't open source
B: one or more pair of eyes DID find this problem
C: there are no eyes looking at your Windows platform

I'll take my chances with open source, thank you. You enjoy your telemetry nonsense.

Re:But this is open source, right?

Depends on what one is allowed to do with the published information. In terms of "bug shallowness", the effect is similar.

Is Pale Moon fixed?

[Futurepower(R)]

Is Pale Moon fixed? I don't see any mention of that.

We switched to Pale Moon and are now not having problems with the instability of Firefox when there are many windows and tabs open. Since Pale Moon is based on Firefox, most of the Firefox add-ons work.

In the past, Google paid Mozilla Foundation $300 million each year to make Google search the default search engine in Firefox. Google apparently didn't cause problems, even though it paid a shocking amount.

Now, I understand, Mozilla Foundation gets most of its money from Microsoft. Microsoft pays Yahoo. Yahoo pays Mozilla Foundation to make "Yahoo search" (actually mostly Microsoft Bing search) the default search engine in Firefox.

The Thunderbird and SeaMonkey Composer GUIs have been damaged, apparently deliberately. File saves in the newer versions of both ask for a new file name, and don't suggest the last one chosen. The damage was reported several months ago, but has not been fixed.

Is that another example of Microsoft's Embrace, Extend, Extinguish? People who feel forced away from Thunderbird may choose Microsoft software to replace it. Is that something Microsoft is trying to accomplish?

In my opinion, dishonest people should not be employed in management. In my opinion, the managers and members of the board of directors of both Microsoft and Mozilla Foundation who approved the dishonesty of sneakily re-configuring Mozilla Foundation products should be immediately fired, and not allowed to have management positions in the future.

Mozilla Foundation may be desperate now that it has lost the incredible amount of money paid by Google.

A few of the many, many articles about abuse by Microsoft:

Microsoft has no plans to tell us what's in Windows patches. Each update is a black box, and it's going to stay that way.

Leaks show that Microsoft writes release notes, so why can't it publish them? The lack of documentation of Windows' updates is a baffling move on Microsoft's part.

Microsoft's Software is Malware. Malware means software designed to function in ways that mistreat or harm the user.

How Can Any Company Ever Trust Microsoft Again?

NSA Backdoor Exploit in Windows 8 Uncovered

Microsoft Gave the NSA Direct Backdoor Access to Outlook, Skype

Microsoft [lack of] Privacy Statement

Here's how to Block Windows 10 "Spying"

Re:Is Pale Moon fixed?

[amiga3D]

I have no mod points to undo the damage caused by the M$ fanboys. I do laud you on your efforts to spread the truth about the malware that masquerades as an operating system and still deserves the badge "Defective by Design."

Re:Is Pale Moon fixed?

What are you talking about? The GP is a paranoid lunatic and a Pale Moon fanboy. When Google owned the search results that's ok, but when Yahoo (Microsoft) owns it then every bug is Microsoft's fault?

He's claiming that a save dialog not defaulting to the last used file name is a Microsoft conspiracy to discredit the software and get people to switch to IE and Outlook. WTF! Much software has annoying open/save dialogs, it's not a new issue. In fact, I'd suggest the old behavior was a bug and the new behavior is better. When I'm saving something new I don't want the previous file name. That creates the risk of accidentally saving over the old file. Remembering the last folder saved in and/or the current working directory is fine, but I don't want to see the last file name. Even a default file name is annoying. The print to PDF features always defaults to output.pdf. I never want to name a PDF that and always have to select the name and change it. That's an extra three buttons (Ctrl, A, Delete) I have to press because of the stupid default. Having no file name as the default would be more efficient.

Linux's file/folder selection dialogs are all screwed up and not unified. Some of them give me a nice browser to select the folder and then a tiny input box to type the file name. Others give me almost the exact same folder browsing dialog but expect me to give it the name of the file to save instead of selecting a folder.

I use Thunderbird at home and Outlook at work. Thunderbird is no risk to Outlook and even Mozilla is trying to forget about Thunderbird (which is probably why it's still usable).

Where are the GP's links about all the other companies that are legally required to give law enforcement access to their services? Singling out one company is dishonest, misleading, and doesn't point people towards what needs to be changed to create a solution.

Re:Is Pale Moon fixed?

NSA Backdoor Exploit in Windows 8 Uncovered
Microsoft Gave the NSA Direct Backdoor Access to Outlook, Skype

Why is there no evidence of this? MS says they didn't, the Guardian says they did and they have documents that prove it but they wont show them to you and you of course believe them? If these backdoors do exist then why can nobody find them? Why won't the Guardian release the information on these supposed "backdoors"?

Nobody in their right mind would blindly trust the baseless reportings of a major news outlet that declines to provide any sources or evidence to support their claims yet you do and you even parade it as fact simply because it is against Microsoft. I certainly wouldn't trust Microsoft but I find it fascinating how the mistrust some people have of a company can allow them to be so easily manipulated into being mouthpieces for news agencies.

Re:Is Pale Moon fixed?

[unixisc]

One issue w/ PaleMoon - doesn't yet have native support for HTML3. So one has to have Adobe Flash included in order to see any multimedia content

Re:Is Pale Moon fixed?

[armanox]

I'm inclined to agree with you - he's making something out of nothing. However, I do like having a default file name (especially if it's smart enough to see if that file already exists and create a new name (say output1.pdf) as not to overwrite the first file). As far as keystrokes go on that, you are adding an extra step in there - it is not necessary to hit delete, you can start typing and it will overwrite highlighted text. Or you can double click the word and start typing (if you are mouse inclined instead. Oh, options for everyone!).

Re:Is Pale Moon fixed?

Good point about delete, but I always press delete to make sure I clear everything out. My file names are always longer than the input field and double-clicking either only selects the word or selects everything but the extension. I name things like: Comcast - 20160215 - Bill Payment.pdf

Re:But this is open source, right?

[AC-x]

Well there are a few eyes looking at the Windows platform, I mean sure they all work for Microsoft, but they are there :)

Re:This proves we need to start using Rust.

Through the liberal use of overwhelming force, that's how! "We need some muscle over here!"

Re:More importantly

Like this: "It's systemd's fault, it would never have happened with init."

Re:How did John Poindexter become so rich?

He had a BS from the Naval Academy and an MS and a PhD in nuclear physics from Caltech. He served as a Rear Admiral in the Navy and had senior executive service in national security. With a clean record (the convictions reversed on appeal), connections, education, and a proven track record, the fact that he was able to make serious money in the civilian sector should not come as a surprise. This discounts any previous family money, of course.

That FINE reliable Open SORES code!

That FINE reliable Open SORES code! Solid, dependable, bulletproof and bug free? No way. Not with noobs that make it. Hahahahahahahaha!

Bobby Tables brought you a little present

https://xkcd.com/327/

More seriously, there is usually no need and no point to embedding fonts. If it's not renderable in good old LANG=POSIX ASCII 7-bit flat text, or it has images and needs to include them in a plain HTML document, but can't be rendered with prettification and excessive layout, then it's a *bad document* and should be sent back to its author to learn how to write legible English in a legibal format.

If the document is not in English, OK, I can see a use for more formatting. Mathematical equations and chemistry notation, also OK if needed. But that is the *only* excuse for not using graphics free presentation. A QA checklist does *NOT NEED 37 fonts!!!*.

Re:Bobby Tables brought you a little present

Yes I can imagine you're a very boring person.

Re: But this is open source, right?

[F.Ultra]

IF they are source code checkers then how do you propose that they work with closed source equally well? If they are used by the closed source companies, then yes if of course works but the point is that the company manufacturing the source code checker can use the large pool of open source software to improve their checker while also providing finds such as this. With the closed source company the company would have to actively run the checks, that's a big difference.

Re:But this is open source, right?

[houstonbofh]

Snowcrash fan?

Is 2016 and a malformed font still...

[williamyf]

Can lead of your system being pw0ned!

Damned Micro$oft!!!!!!!!!!!!.... ...OH ... WAIT....

Re:But this is open source, right?

[Gavagai80]

No. In order to reduce risk to their intellectual property, Microsoft exclusively employs blind people in their Windows division.

Affected. It's already fixed.

Affected. It's already fixed.

Re: But this is open source, right?

naw, man, they work for the NSA - pay attention.

How do all the stories affect our thinking?

[Futurepower(R)]

The way I handle such issues is to look at the big picture. I don't know exactly what is happening with Microsoft and Windows, but there are many, many reports that indicate crazy things are happening.

Another example: I don't know what happened on 9/11/2001 at the World Trade Center, but it is interesting that Marvin P. Bush, the president's younger brother, was a principal in a company called Securacom that provided security for the World Trade Center.

The domination we are seeing is destructive toward the lives of those who do it, in the kind of way that alcoholism is not a solution to problems, but degrades the lives of alcoholics.

Re:How do all the stories affect our thinking?

Holy fucking shite!

How insane does one have to be to find a connection between a security hole in libgraphite that affects earlier versions of Firefox, Microsoft and 9/11?
What next? The moon landing was a hoax because Monsanto wanted to sell more GM crops? JFK was killed by vaccine pushing doctors just as he was about to announce that vaccines cause autism? Vietnam was iniated by a group of fierce, greedy soy farmers?

Mental illnesses really are a horrible thing to suffer from.

Unpossible!

Open Sores is perfect softwares!

Re:But this is open source, right?

No they are hardware...

Re:But this is open source, right?

[armanox]

Except if you read the Windows security bulletins that come out every month you'd see that this happens on Microsoft platforms too.

Oh, heaven forbid that people actually pay attention to what they are doing on a computer.

Don't avoid. Stay logical.

[Futurepower(R)]

Wow! Moderated up to +4, now at 0.

That's avoidance, not logic. There are many, many, many articles about abuse by Microsoft. Whether or not you like what I said, or the articles I chose, there is an issue.

As I said above: The domination we are seeing is destructive toward the lives of those who do it, in the kind of way that alcoholism is not a solution to problems, but degrades the lives of alcoholics.

Don't be dishonest toward yourselves. Deal with conflicts, don't avoid them.

chrome stable (48.0) links to libgraphite2.so

[Bill+Privatus]

I can find no workarounds for Chrome - posted in the chrome forum. Just wondered if anyone else was concerned enough to figure out how to disable it in Chrome until the library is updated.
From ldd output of /opt/google/chrome/chrome:
libgraphite2.so.3 => /usr/lib64/libgraphite2.so.3 (0x00007fb69a34e000)