Number: AV16-021
Date: 8 February 2015
Purpose
The purpose of this advisory is to bring attention to multiple vulnerabilities in the Graphite (Libgraphite) library.
Assessment
CCIRC is aware of four critical vulnerabilities in the Graphite library which could allow a remote attacker to execute arbitrary code. Graphite is a font processing library leveraged by several popular Linux applications (including Mozilla Firefox, LibreOffice and OpenOffice).
Affected versions: Graphite 2 - 1.3.4 and prior
CVE References: CVE-2016-1521, CVE-2016-1522, CVE-2016-1523, CVE-2016-1526
Suggested action
CCIRC recommends that system administrators with environments using software that leverage the Graphite 2 library to check with software developers for patch availability. Vendor-released updates should be tested and deployed to affected applications accordingly.
References
Cisco Talos Report
http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html
Graphite Github Repository
https://github.com/silnrsi/graphite
Applications supporting Graphite (developer page)
http://scripts.sil.org/cms/scripts/page.php?site_id=projects&item_id=graphite_apps