Slashdot Mirror
Vulnerability In Font Processing Library Affects Linux, OpenOffice, Firefox (softpedia.com)
An anonymous reader writes: If an application can embed fonts with special characters, then it's probably using the Graphite font processing library. This library has several security issues which an attacker can leverage to take control of your OS via remote code execution scenarios. The simple attack would be to deliver a malicious font via a Web page's CSS. The malformed font loads in Firefox, triggers the RCE exploit, and voila, your PC has a hole inside through which malware can creep in.
Known Vulnerable Versions:
Libgraphite 2-1.2.4
Firefox 31-42
source: http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html
If only systems and programming languages had been developed that eradicated an entire class of software bugs.
Can I haz SELinux + grsecurity in all major distributions by default plz.
NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
your eyes are not open source, they are processing fonts, and they are vulnerable
The reported vulnerability is also present in Windows⦠As soon as you use the windows version of firefox.
libgraphite is used by libreoffice, grcompiler, texlive-binaries, fonts-sil-padauk.
I have no doubt a more forward looking distro like Fedora or Arch will have more applications that include libgraphite/silgraphite as a dependency. Sadly I can't verify dependants from here: https://apps.fedoraproject.org/packages/graphite2/
Just desactivate the graphite thing in firefox (if you are using one of the vulnerable verions, 11-42) and you are done.
I like the font they used in the article. Very creative, especially how it included photos of my kids and parts of the social security number
But what if my DNA has been sequenced and published? Are my eyes open source then?
FTA:
"The worst is an out-of-bounds read bug (CVE-2016-1521) that allows attackers to crash the system"
Err no. It'll crash the browser (or whichever userspace program is using the library). Thats a bit different to crashing the kernel.
Bring back the X Font Server and get off my lawn!
I haven't let web pages use different fonts for years. I use a font at a size on my browser that I find easy to read and I found a long time ago that people making pages were trying to change fonts and sizes to things that weren't as easy for me to read. This comes from people who think that they need to have absolute control of how everything is displayed on the page. That was never the intention of how the web was to work.
This is why the Web sucks, we mix code and data
If this were a JavaScript exploit, you might have a point, but font libraries are just data. While the attack does involve mixing code and data, it's not a fundamental feature of the web that's being exploited. Instead it's the Von Neumann architecture; it's going to apply to any sufficiently complex program that accepts outside data. A better criticism would be to say "this is why c++ sucks... it's hard to write memory-correct code in it".
-1, Too Many Layers Of Abstraction
Except the CSS you're downloading tells your browser to go and obtain the vulnerable font. Without asking or confirming. Data (the webpage) is executing code on your machine.
A: the font isn't open source
B: one or more pair of eyes DID find this problem
C: there are no eyes looking at your Windows platform
I'll take my chances with open source, thank you. You enjoy your telemetry nonsense.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Well there are a few eyes looking at the Windows platform, I mean sure they all work for Microsoft, but they are there :)
Well, maybe.
Firefox is uniquely* exposed to this exploit in that an attacker can embed the bad font in a we page. With other applications, one needs to download and install the font as a separate step.
*At least for OpenOffice, I have to download/install fonts. There may exist apps that do this automatically from remote sites. But how an attacker could specify a particular font server from which the app should download their corrupted font is another hoop they would have to jump through.
Have gnu, will travel.
IF they are source code checkers then how do you propose that they work with closed source equally well? If they are used by the closed source companies, then yes if of course works but the point is that the company manufacturing the source code checker can use the large pool of open source software to improve their checker while also providing finds such as this. With the closed source company the company would have to actively run the checks, that's a big difference.
Snowcrash fan?
In many word processors, fonts can be embedded into the document, to make sure they render "correctly" . I think OO supports this.
Can lead of your system being pw0ned!
Damned Micro$oft!!!!!!!!!!!!.... ...OH ... WAIT....
*** Suerte a todos y Feliz dia!
No. In order to reduce risk to their intellectual property, Microsoft exclusively employs blind people in their Windows division.
This space intentionally left blank
Unfortunately, fonts aren't just data. This blog post details the exploit, basically a malicious font can compromise the TTF virtual machine.
What are you talking about? The GP is a paranoid lunatic and a Pale Moon fanboy. When Google owned the search results that's ok, but when Yahoo (Microsoft) owns it then every bug is Microsoft's fault?
He's claiming that a save dialog not defaulting to the last used file name is a Microsoft conspiracy to discredit the software and get people to switch to IE and Outlook. WTF! Much software has annoying open/save dialogs, it's not a new issue. In fact, I'd suggest the old behavior was a bug and the new behavior is better. When I'm saving something new I don't want the previous file name. That creates the risk of accidentally saving over the old file. Remembering the last folder saved in and/or the current working directory is fine, but I don't want to see the last file name. Even a default file name is annoying. The print to PDF features always defaults to output.pdf. I never want to name a PDF that and always have to select the name and change it. That's an extra three buttons (Ctrl, A, Delete) I have to press because of the stupid default. Having no file name as the default would be more efficient.
Linux's file/folder selection dialogs are all screwed up and not unified. Some of them give me a nice browser to select the folder and then a tiny input box to type the file name. Others give me almost the exact same folder browsing dialog but expect me to give it the name of the file to save instead of selecting a folder.
I use Thunderbird at home and Outlook at work. Thunderbird is no risk to Outlook and even Mozilla is trying to forget about Thunderbird (which is probably why it's still usable).
Where are the GP's links about all the other companies that are legally required to give law enforcement access to their services? Singling out one company is dishonest, misleading, and doesn't point people towards what needs to be changed to create a solution.
One issue w/ PaleMoon - doesn't yet have native support for HTML3. So one has to have Adobe Flash included in order to see any multimedia content
The way I handle such issues is to look at the big picture. I don't know exactly what is happening with Microsoft and Windows, but there are many, many reports that indicate crazy things are happening.
Another example: I don't know what happened on 9/11/2001 at the World Trade Center, but it is interesting that Marvin P. Bush, the president's younger brother, was a principal in a company called Securacom that provided security for the World Trade Center.
The domination we are seeing is destructive toward the lives of those who do it, in the kind of way that alcoholism is not a solution to problems, but degrades the lives of alcoholics.
Except if you read the Windows security bulletins that come out every month you'd see that this happens on Microsoft platforms too.
Oh, heaven forbid that people actually pay attention to what they are doing on a computer.
I'm starting to think GNU is the problem with "GNU/Linux" these days.
I'm inclined to agree with you - he's making something out of nothing. However, I do like having a default file name (especially if it's smart enough to see if that file already exists and create a new name (say output1.pdf) as not to overwrite the first file). As far as keystrokes go on that, you are adding an extra step in there - it is not necessary to hit delete, you can start typing and it will overwrite highlighted text. Or you can double click the word and start typing (if you are mouse inclined instead. Oh, options for everyone!).
I'm starting to think GNU is the problem with "GNU/Linux" these days.
Wow! Moderated up to +4, now at 0.
That's avoidance, not logic. There are many, many, many articles about abuse by Microsoft. Whether or not you like what I said, or the articles I chose, there is an issue.
As I said above: The domination we are seeing is destructive toward the lives of those who do it, in the kind of way that alcoholism is not a solution to problems, but degrades the lives of alcoholics.
Don't be dishonest toward yourselves. Deal with conflicts, don't avoid them.
I can find no workarounds for Chrome - posted in the chrome forum. Just wondered if anyone else was concerned enough to figure out how to disable it in Chrome until the library is updated. /opt/google/chrome/chrome: /usr/lib64/libgraphite2.so.3 (0x00007fb69a34e000)
From ldd output of
libgraphite2.so.3 =>
Redundancy is good; triple redundancy is twice as good! - Me.