Bug 1301553 - (CVE-2015-8947, CVE-2016-2052) CVE-2016-2052 CVE-2015-8947 chromium-browser: Multiple unspecified vulnerabilities in HarfBuzz before 1.0.6
CVE-2016-2052 CVE-2015-8947 chromium-browser: Multiple unspecified vulnerabil...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Reopened, Security
Depends On: 1358576 1301555 1301556 1358575 1358577
Blocks: 1301530
  Show dependency treegraph
Reported: 2016-01-25 06:31 EST by Adam Mariš
Modified: 2016-07-21 00:25 EDT (History)
2 users (show)

See Also:
Fixed In Version: chromium-browser 48.0.2564.82
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-01-28 00:19:16 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2016-01-25 06:31:38 EST
Multiple unspecified vulnerabilities in HarfBuzz before 1.0.6 were found, as used in Google Chrome before 48.0.2564.82, allowing attackers to cause a denial of service or possibly have other impact via unknown vectors.

Upstream tracking bug:

Comment 2 errata-xmlrpc 2016-01-27 06:28:18 EST
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2016:0072 https://rhn.redhat.com/errata/RHSA-2016-0072.html
Comment 3 Huzaifa S. Sidhpurwala 2016-03-14 01:41:18 EDT
This CVE was assigned to "Update harfbuzz to 1.0.6" in chromium browser. (As referenced by the comment #0 above). When investigating this issue it seems all the issues fixed in 1.0.5 and subsequent 1.0.6 are linked to their fuzzing initiative as obvious from https://github.com/behdad/harfbuzz/issues/139.

Several flaws were fixed, which include:

Several heap-based buffer overflows at:

And a few other assorted flaws (some of them may have a non-security impact)
Comment 4 Huzaifa S. Sidhpurwala 2016-07-14 02:19:01 EDT
Send a CVE request to MITRE at:

Comment 5 Adam Mariš 2016-07-19 06:55:45 EDT
CVE-2015-8947 was assigned by MITRE:


to issue fixed by following commit:

Comment 6 Huzaifa S. Sidhpurwala 2016-07-20 23:47:28 EDT
Further to comment #5, the following commit was assigned to CVE-2016-2052:


while CVE-2015-8947 has been assigned to:

Comment 7 Huzaifa S. Sidhpurwala 2016-07-20 23:54:02 EDT
Created mingw-harfbuzz tracking bugs for this issue:

Affects: fedora-all [bug 1358576]
Comment 8 Huzaifa S. Sidhpurwala 2016-07-20 23:54:14 EDT
Created harfbuzz tracking bugs for this issue:

Affects: fedora-all [bug 1358575]
Affects: epel-7 [bug 1358577]

Note You need to log in before you can comment on or make changes to this bug.