Bug 1301553 (CVE-2015-8947, CVE-2016-2052) - CVE-2016-2052 CVE-2015-8947 chromium-browser: Multiple unspecified vulnerabilities in HarfBuzz before 1.0.6
Summary: CVE-2016-2052 CVE-2015-8947 chromium-browser: Multiple unspecified vulnerabil...
Alias: CVE-2015-8947, CVE-2016-2052
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Whiteboard: impact=moderate,public=20160124,repor...
Keywords: Reopened, Security
Depends On: 1358576 1301555 1301556 1358575 1358577
Blocks: 1301530
TreeView+ depends on / blocked
Reported: 2016-01-25 11:31 UTC by Adam Mariš
Modified: 2019-06-08 20:57 UTC (History)
2 users (show)

Clone Of:
Last Closed: 2019-06-08 02:47:41 UTC

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0072 normal SHIPPED_LIVE Important: chromium-browser security update 2016-01-27 16:26:55 UTC

Description Adam Mariš 2016-01-25 11:31:38 UTC
Multiple unspecified vulnerabilities in HarfBuzz before 1.0.6 were found, as used in Google Chrome before 48.0.2564.82, allowing attackers to cause a denial of service or possibly have other impact via unknown vectors.

Upstream tracking bug:


Comment 2 errata-xmlrpc 2016-01-27 11:28:18 UTC
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2016:0072 https://rhn.redhat.com/errata/RHSA-2016-0072.html

Comment 3 Huzaifa S. Sidhpurwala 2016-03-14 05:41:18 UTC
This CVE was assigned to "Update harfbuzz to 1.0.6" in chromium browser. (As referenced by the comment #0 above). When investigating this issue it seems all the issues fixed in 1.0.5 and subsequent 1.0.6 are linked to their fuzzing initiative as obvious from https://github.com/behdad/harfbuzz/issues/139.

Several flaws were fixed, which include:

Several heap-based buffer overflows at:

And a few other assorted flaws (some of them may have a non-security impact)

Comment 4 Huzaifa S. Sidhpurwala 2016-07-14 06:19:01 UTC
Send a CVE request to MITRE at:


Comment 5 Adam Mariš 2016-07-19 10:55:45 UTC
CVE-2015-8947 was assigned by MITRE:


to issue fixed by following commit:


Comment 6 Huzaifa S. Sidhpurwala 2016-07-21 03:47:28 UTC
Further to comment #5, the following commit was assigned to CVE-2016-2052:


while CVE-2015-8947 has been assigned to:


Comment 7 Huzaifa S. Sidhpurwala 2016-07-21 03:54:02 UTC
Created mingw-harfbuzz tracking bugs for this issue:

Affects: fedora-all [bug 1358576]

Comment 8 Huzaifa S. Sidhpurwala 2016-07-21 03:54:14 UTC
Created harfbuzz tracking bugs for this issue:

Affects: fedora-all [bug 1358575]
Affects: epel-7 [bug 1358577]

Note You need to log in before you can comment on or make changes to this bug.