[Git][security-tracker-team/security-tracker][master] CVE-2021-45931/harfbuzz not-affected vulnerable code introduced later
Neil Williams (@codehelp)
codehelp at debian.org
Tue Apr 26 13:07:30 BST 2022
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker
Commits:
dd82a69f by Neil Williams at 2022-04-26T13:06:52+01:00
CVE-2021-45931/harfbuzz not-affected vulnerable code introduced later
Vulnerable code existed for 6 days - both commits are first included in
the 2.9.1. git tag.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -23129,11 +23129,12 @@ CVE-2021-45933 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow (8 bytes)
CVE-2021-45932 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow (4 bytes) in Mqt ...)
NOT-FOR-US: wolfMQTT
CVE-2021-45931 (HarfBuzz 2.9.0 has an out-of-bounds write in hb_bit_set_invertible_t:: ...)
- - harfbuzz <undetermined>
+ - harfbuzz <not-affected> (Vulnerable code introduced later)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37425
NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/harfbuzz/OSV-2021-1159.yaml
NOTE: https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81 (2.9.1)
- TODO: check correctness of commit, might not affect any Debian released version
+ NOTE: introduced in https://github.com/harfbuzz/harfbuzz/commit/f0c3804fa292ef3be41cc8d1cdea8239f00e2295 (2.9.1)
+ NOTE: vulnerable code not present in 2.9.0 git tag, error in CVE description
CVE-2021-45930 (Qt SVG in Qt 5.0.0 through 5.15.2 and 6.0.0 through 6.2.1 has an out-o ...)
{DLA-2895-1 DLA-2885-1}
- qtsvg-opensource-src 5.15.2-4 (bug #1002991)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd82a69f8faec388020425ab49ae7c75e8a8cd72
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd82a69f8faec388020425ab49ae7c75e8a8cd72
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220426/53a67f32/attachment.htm>
More information about the debian-security-tracker-commits
mailing list