
CVE-2016-1521 Webfont Exploit in Firefox Because of Graphite Library - ck2
http://news.softpedia.com/news/vulnerability-in-font-processing-library-affects-linux-openoffice-firefox-500027.shtml
======
ck2
I don't see this mentioned anywhere but it might be possible to turn graphite
support off entirely via _about:config_

    
    
         gfx.font_rendering.graphite.enabled
    

Graphite was turned on by default after FF 28

[http://scripts.sil.org/cms/scripts/page.php?site_id=projects...](http://scripts.sil.org/cms/scripts/page.php?site_id=projects&item_id=graphite_firefox)

CVE-2016-1521

[http://www.talosintel.com/reports/TALOS-2016-0058/](http://www.talosintel.com/reports/TALOS-2016-0058/)

Firefox builds before February 11 are vulnerable [https://www.mozilla.org/en-
US/security/advisories/mfsa2016-1...](https://www.mozilla.org/en-
US/security/advisories/mfsa2016-14/)

 _The directrun function in directmachine.cpp in Libgraphite in Graphite 2
1.2.4, as used in Mozilla Firefox before 43.0 and Firefox ESR 38.x before
38.6.1, does not validate a certain skip operation, which allows remote
attackers to execute arbitrary code, obtain sensitive information, or cause a
denial of service (out-of-bounds read and application crash) via a crafted
Graphite smart font._

