Vulnerability In Font Processing Library Affects Linux, OpenOffice, Firefox

An anonymous reader writes: If an application can embed fonts with special characters, then it's probably using the Graphite font processing library. This library has several security issues which an attacker can leverage to take control of your OS via remote code execution scenarios. The simple attack would be to deliver a malicious font via a Web page's CSS. The malformed font loads in Firefox, triggers the RCE exploit, and voila, your PC has a hole inside through which malware can creep in.

Current version of Firefox is not vulnerable

Known Vulnerable Versions:
Libgraphite 2-1.2.4
Firefox 31-42

source: http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html

Re:Current version of Firefox is not vulnerable

Yes, Firefox fixed this issue in 44.0.2, released last Thursday. Weirdly, when I checked that page Thursday it did not mention a thing about the graphite vulnerability. It was added today: https://www.mozilla.org/en-US/...

Re:Current version of Firefox is not vulnerable

[buchner.johannes]

in the meantime, you can set gfx.font_rendering.graphite.enabled to False

Re:Current version of Firefox is not vulnerable

[BZ]

Firefox fixed this issue in Firefox 43, not in 44.0.2. In particular, it was "fixed" in Firefox by updating to a version of libgraphite that did not have the problem, and this happend before the issue was even reported to libgraphite.

Hence no CVE for Firefox 43 or 44, because they were never vunerable, and no CVE for Firefox 42, because it was long-superseded by the time the vulnerability was even reported.

The CVE, if you note, is for Firefox 38 ESR, which _was_ vulnerable until the 38.6.1 release.

Re:But this is open source, right?

your eyes are not open source, they are processing fonts, and they are vulnerable

Re:But this is open source, right?

The reported vulnerability is also present in Windows⦠As soon as you use the windows version of firefox.

Re:Another buffer overflow

Can I haz SELinux + grsecurity in all major distributions by default plz.

Of course that wouldn't protect Windows, which is also affected by this and is conveniently left out of the summary. Actually, it doesn't impact linux or windows. It impacts applications that run on them that enable smart fonts using graphite. If you haven't turned on this capability or if you turn it off, you aren't impacted at all. Good news is that it has already been fixed in the latest release of graphite in January.

Hyperbole? Much?

[Viol8]

FTA:

"The worst is an out-of-bounds read bug (CVE-2016-1521) that allows attackers to crash the system"

Err no. It'll crash the browser (or whichever userspace program is using the library). Thats a bit different to crashing the kernel.

Bring back the X Font Server and get off my lawn!

Re:gfx.font_rendering.graphite.enabled

[gustygolf]

Or disable web fonts. No attack vector that way.

gfx.downloadable_fonts.enabled = false

Re: When you let anyone run code on your machine

[firewrought]

This is why the Web sucks, we mix code and data

If this were a JavaScript exploit, you might have a point, but font libraries are just data. While the attack does involve mixing code and data, it's not a fundamental feature of the web that's being exploited. Instead it's the Von Neumann architecture; it's going to apply to any sufficiently complex program that accepts outside data. A better criticism would be to say "this is why c++ sucks... it's hard to write memory-correct code in it".

Re:But this is open source, right?

[AC-x]

Well there are a few eyes looking at the Windows platform, I mean sure they all work for Microsoft, but they are there :)

Re:Bad "solution". What about other apps?

[PPH]

Well, maybe.

Firefox is uniquely* exposed to this exploit in that an attacker can embed the bad font in a we page. With other applications, one needs to download and install the font as a separate step.

*At least for OpenOffice, I have to download/install fonts. There may exist apps that do this automatically from remote sites. But how an attacker could specify a particular font server from which the app should download their corrupted font is another hoop they would have to jump through.

Re:Another buffer overflow

I get that you clearly have an axe to grind about Rust for some reason, but you have not explained why it isn't viable. It's impossible to take you seriously when you make empty claims about Servo "going nowhere" when components written in Rust for Servo are being added to Firefox as we speak, or that Rust's syntax is "a step backward" from the likes of C++ or PHP, or argue that you might as well use C++ instead, despite the fact that C++ offers too many convenient footguns to make such a thing viable without expensive static analysis tools to make sure you aren't screwing up... which Rust offers built-in as part of the compilation process.

It honestly sounds like you're just unwilling to acknowledge Rust because Mozilla did something to piss you off. Maybe they removed a feature from Firefox you don't like, or maybe you just think they should have pushed Rust out the door faster than any other advanced language, or maybe you just don't like some people working on Rust or at Mozilla. At any rate, you are doing a piss poor job of convincing anybody as to what Rust's actual flaws are. The standard library not being as mature as the ones in older languages? That's really the only substantive thing you've mentioned here that doesn't smack of petty sensationalism.

Re: When you let anyone run code on your machine

[Hentes]

Unfortunately, fonts aren't just data. This blog post details the exploit, basically a malicious font can compromise the TTF virtual machine.

Re:Is Pale Moon fixed?

What are you talking about? The GP is a paranoid lunatic and a Pale Moon fanboy. When Google owned the search results that's ok, but when Yahoo (Microsoft) owns it then every bug is Microsoft's fault?

He's claiming that a save dialog not defaulting to the last used file name is a Microsoft conspiracy to discredit the software and get people to switch to IE and Outlook. WTF! Much software has annoying open/save dialogs, it's not a new issue. In fact, I'd suggest the old behavior was a bug and the new behavior is better. When I'm saving something new I don't want the previous file name. That creates the risk of accidentally saving over the old file. Remembering the last folder saved in and/or the current working directory is fine, but I don't want to see the last file name. Even a default file name is annoying. The print to PDF features always defaults to output.pdf. I never want to name a PDF that and always have to select the name and change it. That's an extra three buttons (Ctrl, A, Delete) I have to press because of the stupid default. Having no file name as the default would be more efficient.

Linux's file/folder selection dialogs are all screwed up and not unified. Some of them give me a nice browser to select the folder and then a tiny input box to type the file name. Others give me almost the exact same folder browsing dialog but expect me to give it the name of the file to save instead of selecting a folder.

I use Thunderbird at home and Outlook at work. Thunderbird is no risk to Outlook and even Mozilla is trying to forget about Thunderbird (which is probably why it's still usable).

Where are the GP's links about all the other companies that are legally required to give law enforcement access to their services? Singling out one company is dishonest, misleading, and doesn't point people towards what needs to be changed to create a solution.