[Git][security-tracker-team/security-tracker][master] CVE-2021-45931/harfbuzz not-affected vulnerable code introduced later

Tue, 26 Apr 2022 05:07:39 -0700 


Neil Williams pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
dd82a69f by Neil Williams at 2022-04-26T13:06:52+01:00
CVE-2021-45931/harfbuzz not-affected vulnerable code introduced later

Vulnerable code existed for 6 days - both commits are first included in
the 2.9.1. git tag.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -23129,11 +23129,12 @@ CVE-2021-45933 (wolfSSL wolfMQTT 1.9 has a heap-based 
buffer overflow (8 bytes)
 CVE-2021-45932 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow (4 
bytes) in Mqt ...)
        NOT-FOR-US: wolfMQTT
 CVE-2021-45931 (HarfBuzz 2.9.0 has an out-of-bounds write in 
hb_bit_set_invertible_t:: ...)
-       - harfbuzz <undetermined>
+       - harfbuzz <not-affected> (Vulnerable code introduced later)
        NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37425
        NOTE: 
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/harfbuzz/OSV-2021-1159.yaml
        NOTE: 
https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81
 (2.9.1)
-       TODO: check correctness of commit, might not affect any Debian released 
version
+       NOTE: introduced in 
https://github.com/harfbuzz/harfbuzz/commit/f0c3804fa292ef3be41cc8d1cdea8239f00e2295
 (2.9.1)
+       NOTE: vulnerable code not present in 2.9.0 git tag, error in CVE 
description
 CVE-2021-45930 (Qt SVG in Qt 5.0.0 through 5.15.2 and 6.0.0 through 6.2.1 has 
an out-o ...)
        {DLA-2895-1 DLA-2885-1}
        - qtsvg-opensource-src 5.15.2-4 (bug #1002991)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd82a69f8faec388020425ab49ae7c75e8a8cd72

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd82a69f8faec388020425ab49ae7c75e8a8cd72
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to