Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vulnerability In Font Processing Library Affects Linux, OpenOffice, Firefox (softpedia.com)

Posted by timothy on from the well-stop-using-fonts dept.

An anonymous reader writes: If an application can embed fonts with special characters, then it's probably using the Graphite font processing library. This library has several security issues which an attacker can leverage to take control of your OS via remote code execution scenarios. The simple attack would be to deliver a malicious font via a Web page's CSS. The malformed font loads in Firefox, triggers the RCE exploit, and voila, your PC has a hole inside through which malware can creep in.

2 of 95 comments (clear)

  1. Hyperbole? Much? by Viol8 · · Score: 5, Insightful

    FTA:

    "The worst is an out-of-bounds read bug (CVE-2016-1521) that allows attackers to crash the system"

    Err no. It'll crash the browser (or whichever userspace program is using the library). Thats a bit different to crashing the kernel.

    Bring back the X Font Server and get off my lawn!

  2. Re:Is Pale Moon fixed? by Anonymous Coward · · Score: 2, Insightful

    What are you talking about? The GP is a paranoid lunatic and a Pale Moon fanboy. When Google owned the search results that's ok, but when Yahoo (Microsoft) owns it then every bug is Microsoft's fault?

    He's claiming that a save dialog not defaulting to the last used file name is a Microsoft conspiracy to discredit the software and get people to switch to IE and Outlook. WTF! Much software has annoying open/save dialogs, it's not a new issue. In fact, I'd suggest the old behavior was a bug and the new behavior is better. When I'm saving something new I don't want the previous file name. That creates the risk of accidentally saving over the old file. Remembering the last folder saved in and/or the current working directory is fine, but I don't want to see the last file name. Even a default file name is annoying. The print to PDF features always defaults to output.pdf. I never want to name a PDF that and always have to select the name and change it. That's an extra three buttons (Ctrl, A, Delete) I have to press because of the stupid default. Having no file name as the default would be more efficient.

    Linux's file/folder selection dialogs are all screwed up and not unified. Some of them give me a nice browser to select the folder and then a tiny input box to type the file name. Others give me almost the exact same folder browsing dialog but expect me to give it the name of the file to save instead of selecting a folder.

    I use Thunderbird at home and Outlook at work. Thunderbird is no risk to Outlook and even Mozilla is trying to forget about Thunderbird (which is probably why it's still usable).

    Where are the GP's links about all the other companies that are legally required to give law enforcement access to their services? Singling out one company is dishonest, misleading, and doesn't point people towards what needs to be changed to create a solution.