| Name | CVE-2018-7999 |
| Description | In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference vulnerability was found in Segment.cpp during a dumbRendering operation, which may allow attackers to cause a denial of service or possibly have unspecified other impact via a crafted .ttf file. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 892590 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| graphite2 (PTS) | jessie, jessie (lts) | 1.3.10-1~deb8u1 | vulnerable |
| stretch | 1.3.10-1 | vulnerable |
| buster | 1.3.13-7 | fixed |
| bullseye, bookworm | 1.3.14-1 | fixed |
| sid, trixie | 1.3.14-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| graphite2 | source | (unstable) | 1.3.11-2 | | | 892590 |
Notes
[stretch] - graphite2 <no-dsa> (Minor issue)
[jessie] - graphite2 <no-dsa> (Minor issue)
[wheezy] - graphite2 <no-dsa> (Minor issue)
https://github.com/silnrsi/graphite/commit/db132b4731a9b4c9534144ba3a18e65b390e9ff6
https://github.com/silnrsi/graphite/issues/22