CVE-2017-5436
First published: Wed Apr 19 2017(Updated: )
An out-of-bounds write in the Graphite 2 library triggered with a maliciously crafted Graphite font. This results in a potentially exploitable crash. This issue was fixed in the Graphite 2 library as well as Mozilla products.
Credit: security@mozilla.org security@mozilla.org security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Thunderbird | <52.1 | 52.1 |
| Debian | =8.0 | |
| Red Hat Enterprise Linux | =6.0 | |
| Red Hat Enterprise Linux | =7.0 | |
| Red Hat Enterprise Linux Desktop | =6.0 | |
| Red Hat Enterprise Linux Desktop | =7.0 | |
| Red Hat Enterprise Linux Server | =6.0 | |
| Red Hat Enterprise Linux Server | =7.0 | |
| Red Hat Enterprise Linux Server | =7.3 | |
| Red Hat Enterprise Linux Server | =7.4 | |
| Red Hat Enterprise Linux Server | =7.3 | |
| Red Hat Enterprise Linux Server | =7.4 | |
| Red Hat Enterprise Linux Server | =7.5 | |
| Red Hat Enterprise Linux Workstation | =6.0 | |
| Red Hat Enterprise Linux Workstation | =7.0 | |
| Graphite2 | ||
| Firefox | <53.0 | |
| Firefox | =52.0 | |
| Firefox ESR | <45.9.0 | |
| Thunderbird | <52.1.0 | |
| Firefox ESR | =52.0 | |
| Firefox | <53 | 53 |
| Firefox ESR | <45.9 | 45.9 |
| Firefox ESR | <52.1 | 52.1 |
| debian/firefox | 136.0-1 | |
| debian/firefox-esr | 115.14.0esr-1~deb11u1 128.8.0esr-1~deb11u1 128.5.0esr-1~deb12u1 128.8.0esr-1~deb12u1 128.7.0esr-1 128.8.0esr-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.mozilla.org/show_bug.cgi?id=1345461
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-13/
- https://www.mozilla.org/security/advisories/mfsa2017-10/
- https://www.mozilla.org/security/advisories/mfsa2017-11/
- https://www.mozilla.org/security/advisories/mfsa2017-12/
- https://www.mozilla.org/security/advisories/mfsa2017-13/
- https://www.debian.org/security/2017/dsa-3831
- https://security.gentoo.org/glsa/201706-25
- https://access.redhat.com/errata/RHSA-2017:1104
- https://access.redhat.com/errata/RHSA-2017:1106
- https://access.redhat.com/errata/RHSA-2017:1201
- http://www.securityfocus.com/bid/97940
- http://www.securitytracker.com/id/1038320
- https://launchpad.net/bugs/cve/CVE-2017-5436
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-11/#CVE-2017-5436
- https://bugzilla.redhat.com/show_bug.cgi?id=1443327
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-12/
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-11/
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-13/#CVE-2017-5461
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/
- https://security-tracker.debian.org/tracker/CVE-2017-5436
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5436
- https://nvd.nist.gov/vuln/detail/CVE-2017-5436
- https://ubuntu.com/security/CVE-2017-5436
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2017-5433
- CVE-2017-5435
- CVE-2017-5436
- CVE-2017-5461
- CVE-2017-5459
- CVE-2017-5466
- CVE-2017-5434
- CVE-2017-5432
- CVE-2017-5460
- CVE-2017-5438
- CVE-2017-5439
- CVE-2017-5440
- CVE-2017-5441
- CVE-2017-5442
- CVE-2017-5464
- CVE-2017-5443
- CVE-2017-5444
- CVE-2017-5446
- CVE-2017-5447
- CVE-2017-5465
- CVE-2016-10196
- CVE-2017-5454
- CVE-2017-5469
- CVE-2017-5445
- CVE-2017-5449
- CVE-2017-5451
- CVE-2017-5462
- CVE-2017-5467
- CVE-2017-5430
- CVE-2017-5429
- CVE-2017-5448
- CVE-2017-5455
- CVE-2017-5456
- CVE-2017-5450
- CVE-2017-5463
- CVE-2017-5452
- CVE-2017-5453
- CVE-2017-5458
- CVE-2017-5468
Frequently Asked Questions
What is the severity of CVE-2017-5436?
CVE-2017-5436 is categorized as a high-severity vulnerability due to the potential for exploitation leading to a crash.
How do I fix CVE-2017-5436?
To resolve CVE-2017-5436, update to the fixed versions of affected software, such as Mozilla Thunderbird 52.1 or Firefox ESR 52.1.
Which software is affected by CVE-2017-5436?
CVE-2017-5436 affects several versions of Thunderbirds and Firefox ESR prior to 52.1, as well as earlier versions of Debian and Red Hat Enterprise Linux.
What can result from the exploitation of CVE-2017-5436?
Exploitation of CVE-2017-5436 can lead to an out-of-bounds write, potentially crashing the application or causing other unpredictable behaviors.
Is there a patch available for CVE-2017-5436?
Yes, a patch for CVE-2017-5436 is available in the updated versions of the affected Mozilla products and related software.
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-5436
- agent/weakness
- agent/severity
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/description
- agent/author
- agent/trending
- agent/last-modified-date
- agent/source
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/mozilla-advisory
- agent/software-canonical-lookup-request
- source/Mozilla
- collector/nvd-api
- source/NVD
- collector/nvd-cve
- collector/nvd-index
- agent/softwarecombine
- agent/tags
- package-manager/debian
- vendor/mozilla
- canonical/thunderbird
- vendor/debian
- canonical/debian
- version/debian/8.0
- vendor/redhat
- canonical/red hat enterprise linux
- version/red hat enterprise linux/6.0
- version/red hat enterprise linux/7.0
- canonical/red hat enterprise linux desktop
- version/red hat enterprise linux desktop/6.0
- version/red hat enterprise linux desktop/7.0
- canonical/red hat enterprise linux server
- version/red hat enterprise linux server/6.0
- version/red hat enterprise linux server/7.0
- version/red hat enterprise linux server/7.3
- version/red hat enterprise linux server/7.4
- version/red hat enterprise linux server/7.5
- canonical/red hat enterprise linux workstation
- version/red hat enterprise linux workstation/6.0
- version/red hat enterprise linux workstation/7.0
- vendor/sil
- canonical/graphite2
- canonical/firefox
- version/firefox/52.0
- canonical/firefox esr
- version/firefox esr/52.0