CVE-2016-1522

Code.cpp in Libgraphite in Graphite 2 1.2.4, as used in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.6.1, does not consider recursive load calls during a size check, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly execute arbitrary code via a crafted Graphite smart font.

Database specific

{
    "unresolved_ranges": [
        {
            "source": "CPE_FIELD",
            "cpes": [
                "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
                "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"
            ],
            "vendor_product": "debian:debian_linux",
            "extracted_events": [
                {
                    "last_affected": "7.0"
                },
                {
                    "last_affected": "8.0"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpes": [
                "cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*",
                "cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*"
            ],
            "vendor_product": "fedoraproject:fedora",
            "extracted_events": [
                {
                    "last_affected": "22"
                },
                {
                    "last_affected": "23"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpes": [
                "cpe:2.3:a:mozilla:firefox:38.0.1:*:*:*:*:*:*:*",
                "cpe:2.3:a:mozilla:firefox:38.0.5:*:*:*:*:*:*:*",
                "cpe:2.3:a:mozilla:firefox:38.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:mozilla:firefox:38.1.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:mozilla:firefox:38.1.1:*:*:*:*:*:*:*",
                "cpe:2.3:a:mozilla:firefox:38.2.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:mozilla:firefox:38.2.1:*:*:*:*:*:*:*",
                "cpe:2.3:a:mozilla:firefox:38.3.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:mozilla:firefox:38.4.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:mozilla:firefox:38.5.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:mozilla:firefox:38.5.1:*:*:*:*:*:*:*",
                "cpe:2.3:a:mozilla:firefox:38.5.2:*:*:*:*:*:*:*",
                "cpe:2.3:a:mozilla:firefox:38.6.0:*:*:*:*:*:*:*"
            ],
            "vendor_product": "mozilla:firefox",
            "extracted_events": [
                {
                    "last_affected": "38.0"
                },
                {
                    "last_affected": "38.0.1"
                },
                {
                    "last_affected": "38.0.5"
                },
                {
                    "last_affected": "38.1.0"
                },
                {
                    "last_affected": "38.1.1"
                },
                {
                    "last_affected": "38.2.0"
                },
                {
                    "last_affected": "38.2.1"
                },
                {
                    "last_affected": "38.3.0"
                },
                {
                    "last_affected": "38.4.0"
                },
                {
                    "last_affected": "38.5.0"
                },
                {
                    "last_affected": "38.5.1"
                },
                {
                    "last_affected": "38.5.2"
                },
                {
                    "last_affected": "38.6.0"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpes": [
                "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*"
            ],
            "vendor_product": "mozilla:thunderbird",
            "extracted_events": [
                {
                    "last_affected": "38.5.1"
                }
            ]
        }
    ]
}

References

CVE-2016-1522

Affected packages