CVE-2016-2792

Summary

CVE	CVE-2016-2792
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2016-03-13 18:59:00 UTC
Updated	2019-12-27 16:08:00 UTC
Description	The graphite2::Slot::getAttr function in Slot.cpp in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font, a different vulnerability than CVE-2016-2800.

Risk And Classification

Problem Types: CWE-119

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Mozilla	Firefox	All	All	All	All
Application	Mozilla	Firefox Esr	38.0	All	All	All
Application	Mozilla	Firefox Esr	38.0.1	All	All	All
Application	Mozilla	Firefox Esr	38.0.5	All	All	All
Application	Mozilla	Firefox Esr	38.1.0	All	All	All
Application	Mozilla	Firefox Esr	38.1.1	All	All	All
Application	Mozilla	Firefox Esr	38.2.0	All	All	All
Application	Mozilla	Firefox Esr	38.2.1	All	All	All
Application	Mozilla	Firefox Esr	38.3.0	All	All	All
Application	Mozilla	Firefox Esr	38.4.0	All	All	All
Application	Mozilla	Firefox Esr	38.5.0	All	All	All
Application	Mozilla	Firefox Esr	38.5.1	All	All	All
Application	Mozilla	Firefox Esr	38.6.0	All	All	All
Application	Mozilla	Firefox Esr	38.6.1	All	All	All
Application	Mozilla	Firefox Esr	38.0	All	All	All
Application	Mozilla	Firefox Esr	38.0.1	All	All	All
Application	Mozilla	Firefox Esr	38.0.5	All	All	All
Application	Mozilla	Firefox Esr	38.1.0	All	All	All
Application	Mozilla	Firefox Esr	38.1.1	All	All	All
Application	Mozilla	Firefox Esr	38.2.0	All	All	All
Application	Mozilla	Firefox Esr	38.2.1	All	All	All
Application	Mozilla	Firefox Esr	38.3.0	All	All	All
Application	Mozilla	Firefox Esr	38.4.0	All	All	All
Application	Mozilla	Firefox Esr	38.5.0	All	All	All
Application	Mozilla	Firefox Esr	38.5.1	All	All	All
Application	Mozilla	Firefox Esr	38.6.0	All	All	All
Application	Mozilla	Firefox Esr	38.6.1	All	All	All
Operating System	Opensuse	Leap	42.1	All	All	All
Operating System	Opensuse	Leap	42.1	All	All	All
Operating System	Opensuse	Opensuse	13.1	All	All	All
Operating System	Opensuse	Opensuse	13.2	All	All	All
Operating System	Opensuse	Opensuse	13.1	All	All	All
Operating System	Opensuse	Opensuse	13.2	All	All	All
Operating System	Oracle	Linux	5.0	All	All	All
Operating System	Oracle	Linux	6	All	All	All
Operating System	Oracle	Linux	7	All	All	All
Operating System	Oracle	Linux	5.0	All	All	All
Operating System	Oracle	Linux	6	All	All	All
Operating System	Oracle	Linux	7	All	All	All
Application	Sil	Graphite2	All	All	All	All
Operating System	Suse	Linux Enterprise	12.0	All	All	All
Operating System	Suse	Linux Enterprise	12.0	All	All	All

References

Reference	Source	Link	Tags
USN-2917-3: Firefox regressions \| Ubuntu	UBUNTU	www.ubuntu.com
[security-announce] SUSE-SU-2016:0909-1: important: Security update for	SUSE	lists.opensuse.org
Debian -- Security Information -- DSA-3520-1 icedove	DEBIAN	www.debian.org
Graphite2 library Multiple Security Vulnerabilities	BID	www.securityfocus.com
USN-2934-1: Thunderbird vulnerabilities \| Ubuntu	UBUNTU	www.ubuntu.com
USN-2917-1: Firefox vulnerabilities \| Ubuntu	UBUNTU	www.ubuntu.com
Debian -- Security Information -- DSA-3510-1 iceweasel	DEBIAN	www.debian.org
USN-2927-1: graphite2 vulnerabilities \| Ubuntu	UBUNTU	www.ubuntu.com
Mozilla Products: Multiple vulnerabilities (GLSA 201605-06) — Gentoo security	GENTOO	security.gentoo.org
Access Denied	CONFIRM	bugzilla.mozilla.org	Issue Tracking
[security-announce] openSUSE-SU-2016:0733-1: important: Security update	SUSE	lists.opensuse.org
[security-announce] SUSE-SU-2016:0820-1: important: Security update for	SUSE	lists.opensuse.org
Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Spoof the Address Bar, Overwrite Files, and Deny Service - SecurityTracker	SECTRACK	www.securitytracker.com
[security-announce] openSUSE-SU-2016:0894-1: important: Security update	SUSE	lists.opensuse.org	Third Party Advisory
Debian -- Security Information -- DSA-3515-1 graphite2	DEBIAN	www.debian.org
Graphite: Multiple vulnerabilities (GLSA 201701-63) — Gentoo Security	GENTOO	security.gentoo.org
Font vulnerabilities in the Graphite 2 library — Mozilla	CONFIRM	www.mozilla.org	Vendor Advisory
[security-announce] openSUSE-SU-2016:0731-1: important: Security update	SUSE	lists.opensuse.org
[security-announce] SUSE-SU-2016:0777-1: important: Security update for	SUSE	lists.opensuse.org
Oracle Linux Bulletin - January 2016	CONFIRM	www.oracle.com	Third Party Advisory
[security-announce] openSUSE-SU-2016:1769-1: important: Security update	SUSE	lists.opensuse.org	Third Party Advisory
[security-announce] openSUSE-SU-2016:0876-1: important: Security update	SUSE	lists.opensuse.org
USN-2917-2: Firefox regressions \| Ubuntu	UBUNTU	www.ubuntu.com
[security-announce] openSUSE-SU-2016:1778-1: important: Security update	SUSE	lists.opensuse.org	Third Party Advisory
[security-announce] openSUSE-SU-2016:1767-1: important: Security update	SUSE	lists.opensuse.org	Third Party Advisory
[security-announce] SUSE-SU-2016:0727-1: important: Security update for	SUSE	lists.opensuse.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

710417 Gentoo Linux Graphite Multiple Vulnerabilities (GLSA 201701-63)