Am 12.09.2022 um 22:46 teilte Moritz Mühlenhoff mit:
Source: texlive-bin X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi,The otfccdump binary is not build by any source package, hence we are not affected. Yes, we carry the source code of the program, but we don't use it. The otfcc project seems to be dead anyway:
https://github.com/caryll/otfcc Hilmar
The following vulnerabilities were published for OFTCC, which starting with some texlive release after Bullseye gets included in texlive (web2c/mfluadir): https://cvjark.github.io/2022/07/06/CVE-2022-33047/ CVE-2022-35486[0]: | OTFCC v0.10.4 was discovered to contain a segmentation violation via | /release-x64/otfccdump+0x6badae. CVE-2022-35485[1]: | OTFCC v0.10.4 was discovered to contain a segmentation violation via | /release-x64/otfccdump+0x703969. CVE-2022-35484[2]: | OTFCC v0.10.4 was discovered to contain a segmentation violation via | /release-x64/otfccdump+0x6b6a8f. CVE-2022-35483[3]: | OTFCC v0.10.4 was discovered to contain a segmentation violation via | /release-x64/otfccdump+0x5266a8. CVE-2022-35482[4]: | OTFCC v0.10.4 was discovered to contain a segmentation violation via | /release-x64/otfccdump+0x65f724. CVE-2022-35481[5]: | OTFCC v0.10.4 was discovered to contain a segmentation violation via | /multiarch/memmove-vec-unaligned-erms.S. CVE-2022-35479[6]: | OTFCC v0.10.4 was discovered to contain a segmentation violation via | /release-x64/otfccdump+0x4fbbb6. CVE-2022-35478[7]: | OTFCC v0.10.4 was discovered to contain a segmentation violation via | /release-x64/otfccdump+0x6babea. CVE-2022-35477[8]: | OTFCC v0.10.4 was discovered to contain a segmentation violation via | /release-x64/otfccdump+0x4fe954. CVE-2022-35476[9]: | OTFCC v0.10.4 was discovered to contain a segmentation violation via | /release-x64/otfccdump+0x4fbc0b. CVE-2022-35475[10]: | OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via | /release-x64/otfccdump+0x6e41a8. CVE-2022-35474[11]: | OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via | /release-x64/otfccdump+0x6b544e. CVE-2022-35473[12]: | OTFCC v0.10.4 was discovered to contain a segmentation violation via | /release-x64/otfccdump+0x4fe9a7. CVE-2022-35472[13]: | OTFCC v0.10.4 was discovered to contain a global overflow via | /release-x64/otfccdump+0x718693. CVE-2022-35471[14]: | OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via | /release-x64/otfccdump+0x6e41b0. CVE-2022-35470[15]: | OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via | /release-x64/otfccdump+0x65fc97. CVE-2022-35469[16]: | OTFCC v0.10.4 was discovered to contain a segmentation violation via | /x86_64-linux-gnu/libc.so.6+0xbb384. CVE-2022-35468[17]: | OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via | /release-x64/otfccdump+0x6e420d. CVE-2022-35467[18]: | OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via | /release-x64/otfccdump+0x6e41b8. CVE-2022-35466[19]: | OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via | /release-x64/otfccdump+0x6c0473. CVE-2022-35465[20]: | OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via | /release-x64/otfccdump+0x6c0414. CVE-2022-35464[21]: | OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via | /release-x64/otfccdump+0x6171b2. CVE-2022-35463[22]: | OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via | /release-x64/otfccdump+0x6b0478. CVE-2022-35462[23]: | OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via | /release-x64/otfccdump+0x6c0bc3. CVE-2022-35461[24]: | OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via | /release-x64/otfccdump+0x6c0a32. CVE-2022-35460[25]: | OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via | /release-x64/otfccdump+0x61731f. CVE-2022-35459[26]: | OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via | /release-x64/otfccdump+0x6e412a. CVE-2022-35458[27]: | OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via | /release-x64/otfccdump+0x6b05ce. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-35486 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35486 [1] https://security-tracker.debian.org/tracker/CVE-2022-35485 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35485 [2] https://security-tracker.debian.org/tracker/CVE-2022-35484 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35484 [3] https://security-tracker.debian.org/tracker/CVE-2022-35483 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35483 [4] https://security-tracker.debian.org/tracker/CVE-2022-35482 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35482 [5] https://security-tracker.debian.org/tracker/CVE-2022-35481 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35481 [6] https://security-tracker.debian.org/tracker/CVE-2022-35479 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35479 [7] https://security-tracker.debian.org/tracker/CVE-2022-35478 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35478 [8] https://security-tracker.debian.org/tracker/CVE-2022-35477 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35477 [9] https://security-tracker.debian.org/tracker/CVE-2022-35476 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35476 [10] https://security-tracker.debian.org/tracker/CVE-2022-35475 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35475 [11] https://security-tracker.debian.org/tracker/CVE-2022-35474 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35474 [12] https://security-tracker.debian.org/tracker/CVE-2022-35473 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35473 [13] https://security-tracker.debian.org/tracker/CVE-2022-35472 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35472 [14] https://security-tracker.debian.org/tracker/CVE-2022-35471 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35471 [15] https://security-tracker.debian.org/tracker/CVE-2022-35470 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35470 [16] https://security-tracker.debian.org/tracker/CVE-2022-35469 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35469 [17] https://security-tracker.debian.org/tracker/CVE-2022-35468 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35468 [18] https://security-tracker.debian.org/tracker/CVE-2022-35467 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35467 [19] https://security-tracker.debian.org/tracker/CVE-2022-35466 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35466 [20] https://security-tracker.debian.org/tracker/CVE-2022-35465 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35465 [21] https://security-tracker.debian.org/tracker/CVE-2022-35464 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35464 [22] https://security-tracker.debian.org/tracker/CVE-2022-35463 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35463 [23] https://security-tracker.debian.org/tracker/CVE-2022-35462 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35462 [24] https://security-tracker.debian.org/tracker/CVE-2022-35461 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35461 [25] https://security-tracker.debian.org/tracker/CVE-2022-35460 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35460 [26] https://security-tracker.debian.org/tracker/CVE-2022-35459 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35459 [27] https://security-tracker.debian.org/tracker/CVE-2022-35458 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35458 Please adjust the affected versions in the BTS as needed.
-- sigfault
OpenPGP_signature
Description: OpenPGP digital signature
