On Mon, Jan 12, 2026 at 10:42:33AM +0100, Jan Engelhardt wrote: > > On Monday 2026-01-12 04:09, Jacob Bachmeyer wrote: > > > > In short, this is a crash bug, but not a security issue. This is different > > from (for example) a parser bug that results in NULL being dereferenced if > > crafted input is processed. > > > > Are we now using CVE IDs as some kind of global bug tracker? > > Isn't that how the Linux kernel works these days, > as per <https://docs.kernel.org/process/cve.html>: > > "almost any bug might be exploitable to compromise the security of > the kernel, but the possibility of exploitation is often not evident > when the bug is fixed"
The kernel might be a bit "different" here, given that any type of bug that happens at the level of Linux can cause a system failure (i.e. vulnerability), while I don't know if harfbuzz is at that same level (i.e. does it claim to support any invalid input, like the kernel does?) thanks, greg k-h
