Note to readers

This publication does not currently meet the Government of Canada's Web Standards. The information remains valid.

Graphite (Libgraphite) Vulnerabilities

Number: AV16-021
Date: 8 February 2015

Purpose

The purpose of this advisory is to bring attention to multiple vulnerabilities in the Graphite (Libgraphite) library.

Assessment

CCIRC is aware of four critical vulnerabilities in the Graphite library which could allow a remote attacker to execute arbitrary code. Graphite is a font processing library leveraged by several popular Linux applications (including Mozilla Firefox, LibreOffice and OpenOffice).

Affected versions: Graphite 2 - 1.3.4 and prior

CVE References: CVE-2016-1521, CVE-2016-1522, CVE-2016-1523, CVE-2016-1526

Suggested action

CCIRC recommends that system administrators with environments using software that leverage the Graphite 2 library to check with software developers for patch availability AvailabilityThe ability for the right people to access the right information or systems when needed. Availability is applied to information assets, software, and hardware (infrastructure and its components). Implied in its definition is that availability includes the protection of assets from unauthorized access and compromise. . Vendor-released updates should be tested and deployed to affected applications accordingly.

References

Cisco Talos Report
http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html 

Graphite Github Repository
https://github.com/silnrsi/graphite

Applications supporting Graphite (developer page)
http://scripts.sil.org/cms/scripts/page.php?site_id=projects&item_id=graphite_apps

Date modified: