[Git][security-tracker-team/security-tracker][master] Add two oss-fuzz related issues for libbpf

Salvatore Bonaccorso (@carnil) carnil at debian.org
Sat Jan 1 08:55:54 GMT 2022 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
4c981596 by Salvatore Bonaccorso at 2022-01-01T09:54:03+01:00
Add two oss-fuzz related issues for libbpf

As with the already looked reports, not really helpful information as
e.g. introducing commits are mostly related to when oss-fuzzing started.
So note to reviewers, take all with a grain of salt in both introducing
anf fixing information and make sure the tracking we do is correct.

Better stay safe on wrong side for now and keep it unfixed in case of
doupt.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -70,9 +70,15 @@ CVE-2021-45943 (GDAL 3.3.0 through 3.4.0 has a heap-based buffer overflow in PCI
 CVE-2021-45942 (OpenEXR 3.1.0 through 3.1.3 has a heap-based buffer overflow in Imf_3_ ...)
 	TODO: check
 CVE-2021-45941 (libbpf 0.6.0 and 0.6.1 has a heap-based buffer overflow (8 bytes) in _ ...)
-	TODO: check
+	- libbpf <unfixed>
+	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40957
+	NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libbpf/OSV-2021-1576.yaml
+	TODO: check details on fixing commit upstream, furthermore intorducing commit is only when oss-fuzz started
 CVE-2021-45940 (libbpf 0.6.0 and 0.6.1 has a heap-based buffer overflow (4 bytes) in _ ...)
-	TODO: check
+	- libbpf <unfixed>
+	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40868
+	NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libbpf/OSV-2021-1562.yaml
+	TODO: check details on fixing commit upstream, furthermore intorducing commit is only when oss-fuzz started
 CVE-2021-45939 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in MqttClient_De ...)
 	TODO: check
 CVE-2021-45938 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in MqttClient_De ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c981596f6f0e388865c6c14063b4a8538ef6601

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c981596f6f0e388865c6c14063b4a8538ef6601
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220101/b7fbf887/attachment.htm>

More information about the debian-security-tracker-commits mailing list