The SillMap::readFace function in FeatureMap.cpp in Libgraphite in Graphite 2 1.2.4, as used in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.6.1, mishandles a return value, which allows remote attackers to cause a denial of service (missing initialization, NULL pointer dereference, and application crash) via a crafted Graphite smart font.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Fedora | Fedoraproject | 22 (including) | 22 (including) |
| Fedora | Fedoraproject | 23 (including) | 23 (including) |
| Red Hat Enterprise Linux 5 | RedHat | firefox-0:38.6.1-1.el5_11 | * |
| Red Hat Enterprise Linux 5 | RedHat | thunderbird-0:38.6.0-1.el5_11 | * |
| Red Hat Enterprise Linux 6 | RedHat | firefox-0:38.6.1-1.el6_7 | * |
| Red Hat Enterprise Linux 6 | RedHat | thunderbird-0:38.6.0-1.el6_7 | * |
| Red Hat Enterprise Linux 7 | RedHat | firefox-0:38.6.1-1.el7_2 | * |
| Red Hat Enterprise Linux 7 | RedHat | thunderbird-0:38.6.0-1.el7_2 | * |
| Red Hat Enterprise Linux 7 | RedHat | graphite2-0:1.3.6-1.el7_2 | * |
| Graphite2 | Ubuntu | devel | * |
| Graphite2 | Ubuntu | precise | * |
| Graphite2 | Ubuntu | trusty | * |
| Graphite2 | Ubuntu | upstream | * |
| Graphite2 | Ubuntu | vivid/stable-phone-overlay | * |
| Graphite2 | Ubuntu | wily | * |
| Graphite2 | Ubuntu | xenial | * |
| Graphite2 | Ubuntu | yakkety | * |
| Graphite2 | Ubuntu | zesty | * |
| Thunderbird | Ubuntu | devel | * |
| Thunderbird | Ubuntu | precise | * |
| Thunderbird | Ubuntu | trusty | * |
| Thunderbird | Ubuntu | upstream | * |
| Thunderbird | Ubuntu | vivid | * |
| Thunderbird | Ubuntu | wily | * |
| Thunderbird | Ubuntu | xenial | * |
| Thunderbird | Ubuntu | yakkety | * |
| Thunderbird | Ubuntu | zesty | * |