6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.021 Low
EPSS
Percentile
89.1%
CVE-2016-1521
An exploitable out-of-bounds read vulnerability exists in the opcode handling functionality of Libgraphite. A specially crafted font can cause an out-of-bounds read resulting in arbitrary code execution. An attacker can provide a malicious font to trigger this vulnerability.
Libgraphite 2-1.2.4
<http://sourceforge.net/projects/silgraphite/files/graphite2/>
If a malicious font is provided, an out of bounds read can occur while interpreting the opcodes in a font.
The problem occurs when executing the various opcodes in the function directrun in the file directmachine.cpp. At line 85, the interpreter for the opcodes will be executed by performing a goto instruction.
goto **ip;
If the opcode in particular is a cntxt_item, then ip variable will be advanced by iskip bytes to find the next opcode and continue interpreting the opcodes. This is done at line 369 of opcodes.h.
ip += iskip;
However there are no checks to ensure that ip remains within the bounds of the memory allocated for the memory to be interpreted (the program variable). In the case of the malicious font provided here, the value of iskip will be 55, resulting in an out-of-bound read when the program performs a jump to **ip. This memory is memory that was previously allocated for data. This allows an attacker to potentially execute arbitrary code.
The malicious font provided here can be used to generate the problem by using the βsimpleβ test program provided with libgraphite and the parameter βtestβ: ./simple maliciousfont test
Yves Younan
Vulnerability Reports Next Report
TALOS-2016-0059
Previous Report
TALOS-2016-0057
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.021 Low
EPSS
Percentile
89.1%