Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a2d66857 by Moritz Muehlenhoff at 2022-01-03T15:53:17+01:00
new libgrokj2k, openexr issues
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -136,11 +136,11 @@ CVE-2021-45948 (Open Asset Import Library (aka assimp)
5.1.0 and 5.1.1 has a hea
NOTE: https://github.com/assimp/assimp/pull/4146
NOTE:
https://github.com/assimp/assimp/commit/30f17aa2064b86c0096f0ec701b9e8ea9312fef2
(v5.1.0)
CVE-2021-45947 (Wasm3 0.5.0 has an out-of-bounds write in Runtime_Release
(called from ...)
- TODO: check
+ NOT-FOR-US: wasm3
CVE-2021-45946 (Wasm3 0.5.0 has an out-of-bounds write in CompileBlock (called
from Co ...)
- TODO: check
+ NOT-FOR-US: wasm3
CVE-2021-45945 (uWebSockets 19.0.0 through 20.8.0 has an out-of-bounds write
in std::_ ...)
- TODO: check
+ NOT-FOR-US: uWebSockets
CVE-2021-45944 (Ghostscript GhostPDL 9.50 through 9.53.3 has a use-after-free
in sampl ...)
- ghostscript <unfixed>
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29903
@@ -156,7 +156,9 @@ CVE-2021-45943 (GDAL 3.3.0 through 3.4.0 has a heap-based
buffer overflow in PCI
NOTE:
https://github.com/OSGeo/gdal/commit/9b2bcbc47d1649adc0ab65b801f96f56156cf017
(v3.4.1RC1)
NOTE:
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/gdal/OSV-2021-1651.yaml
CVE-2021-45942 (OpenEXR 3.1.0 through 3.1.3 has a heap-based buffer overflow
in Imf_3_ ...)
- TODO: check
+ - openexr <unfixed>
+ NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41416
+ NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/db217f29dfb24f6b4b5100c24ac5e7490e1c57d0
CVE-2021-45941 (libbpf 0.6.0 and 0.6.1 has a heap-based buffer overflow (8
bytes) in _ ...)
- libbpf <unfixed>
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40957
@@ -168,21 +170,23 @@ CVE-2021-45940 (libbpf 0.6.0 and 0.6.1 has a heap-based
buffer overflow (4 bytes
NOTE:
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libbpf/OSV-2021-1562.yaml
TODO: check details on fixing commit upstream, furthermore intorducing
commit is only when oss-fuzz started
CVE-2021-45939 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in
MqttClient_De ...)
- TODO: check
+ NOT-FOR-US: uWebSockets
CVE-2021-45938 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in
MqttClient_De ...)
- TODO: check
+ NOT-FOR-US: wolfMQTT
CVE-2021-45937 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in
MqttClient_De ...)
- TODO: check
+ NOT-FOR-US: wolfMQTT
CVE-2021-45936 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in
MqttDecode_Di ...)
- TODO: check
+ NOT-FOR-US: wolfMQTT
CVE-2021-45935 (Grok 9.5.0 has a heap-based buffer overflow in
openhtj2k::T1OpenHTJ2K: ...)
- TODO: check
+ - libgrokj2k <unfixed>
+ NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39021
+ NOTE: Referenced fix isn't in the upstream repo
CVE-2021-45934 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in
MqttClient_De ...)
- TODO: check
+ NOT-FOR-US: wolfMQTT
CVE-2021-45933 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow (8
bytes) in Mqt ...)
- TODO: check
+ NOT-FOR-US: wolfMQTT
CVE-2021-45932 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow (4
bytes) in Mqt ...)
- TODO: check
+ NOT-FOR-US: wolfMQTT
CVE-2021-45931 (HarfBuzz 2.9.0 has an out-of-bounds write in
hb_bit_set_invertible_t:: ...)
- harfbuzz <undetermined>
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37425
@@ -200,7 +204,7 @@ CVE-2021-45930 (Qt SVG in Qt 5.0.0 through 5.15.2 and 6.0.0
through 6.2.1 has an
NOTE:
https://github.com/qt/qtsvg/commit/a3b753c2d077313fc9eb93af547051b956e383fc
(v5.12.12)
TODO: check if impact present for qt4-x11, furthermore while fixed in
5.12.12 it is not in 5.15.y.
CVE-2021-45929 (Wasm3 0.5.0 has an out-of-bounds write in CompileBlock (called
from Co ...)
- TODO: check
+ NOT-FOR-US: wasm3
CVE-2021-45928 (libjxl b02d6b9, as used in libvips 8.11 through 8.11.2 and
other produ ...)
- jpeg-xl <not-affected> (Vulnerable code not present in a released
Debian version; fixed before inital upload to Debian)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36456
@@ -892,75 +896,75 @@ CVE-2021-4180
CVE-2021-4179 (livehelperchat is vulnerable to Improper Neutralization of
Input Durin ...)
NOT-FOR-US: livehelperchat
CVE-2021-45720 (An issue was discovered in the lru crate before 0.7.1 for
Rust. The it ...)
- TODO: check
+ NOT-FOR-US: Rust crate lru
CVE-2021-45719 (An issue was discovered in the rusqlite crate 0.25.x before
0.25.4 and ...)
- TODO: check
+ NOT-FOR-US: Rust crate rusqlite
CVE-2021-45718 (An issue was discovered in the rusqlite crate 0.25.x before
0.25.4 and ...)
- TODO: check
+ NOT-FOR-US: Rust crate rusqlite
CVE-2021-45717 (An issue was discovered in the rusqlite crate 0.25.x before
0.25.4 and ...)
- TODO: check
+ NOT-FOR-US: Rust crate rusqlite
CVE-2021-45716 (An issue was discovered in the rusqlite crate 0.25.x before
0.25.4 and ...)
- TODO: check
+ NOT-FOR-US: Rust crate rusqlite
CVE-2021-45715 (An issue was discovered in the rusqlite crate 0.25.x before
0.25.4 and ...)
- TODO: check
+ NOT-FOR-US: Rust crate rusqlite
CVE-2021-45714 (An issue was discovered in the rusqlite crate 0.25.x before
0.25.4 and ...)
- TODO: check
+ NOT-FOR-US: Rust crate rusqlite
CVE-2021-45713 (An issue was discovered in the rusqlite crate 0.25.x before
0.25.4 and ...)
- TODO: check
+ NOT-FOR-US: Rust crate rusqlite
CVE-2021-45712 (An issue was discovered in the rust-embed crate before 6.3.0
for Rust. ...)
- TODO: check
+ NOT-FOR-US: Rust crate rust-embed
CVE-2021-45711 (An issue was discovered in the simple_asn1 crate 0.6.0 before
0.6.1 fo ...)
- TODO: check
+ NOT-FOR-US: Rust crate simple_asn1
CVE-2021-45710 (An issue was discovered in the tokio crate before 1.8.4, and
1.9.x thr ...)
TODO: check
CVE-2021-45709 (An issue was discovered in the crypto2 crate through
2021-10-08 for Ru ...)
- TODO: check
+ NOT-FOR-US: Rust crate crypto2
CVE-2021-45708 (An issue was discovered in the abomonation crate through
2021-10-17 fo ...)
- TODO: check
+ NOT-FOR-US: Rust crate abomonation
CVE-2021-45707 (An issue was discovered in the nix crate before 0.20.2, 0.21.x
before ...)
TODO: check
CVE-2021-45706 (An issue was discovered in the zeroize_derive crate before
1.1.1 for R ...)
- TODO: check
+ NOT-FOR-US: Rust crate zeroize_derive
CVE-2021-45705 (An issue was discovered in the nanorand crate before 0.6.1 for
Rust. T ...)
- TODO: check
+ NOT-FOR-US: Rust crate nanorand
CVE-2021-45704 (An issue was discovered in the metrics-util crate before 0.7.0
for Rus ...)
- TODO: check
+ NOT-FOR-US: Rust crate metrics-util
CVE-2021-45703 (An issue was discovered in the tectonic_xdv crate before
0.1.12 for Ru ...)
- TODO: check
+ NOT-FOR-US: Rust crate tectonic_xdv
CVE-2021-45702 (An issue was discovered in the tremor-script crate before
0.11.6 for R ...)
- TODO: check
+ NOT-FOR-US: Rust crate tremor-script
CVE-2021-45701 (An issue was discovered in the tremor-script crate before
0.11.6 for R ...)
- TODO: check
+ NOT-FOR-US: Rust crate tremor-script
CVE-2021-45700 (An issue was discovered in the ckb crate before 0.40.0 for
Rust. Attac ...)
- TODO: check
+ NOT-FOR-US: Rust crate ckb
CVE-2021-45699 (An issue was discovered in the ckb crate before 0.40.0 for
Rust. Remot ...)
- TODO: check
+ NOT-FOR-US: Rust crate ckb
CVE-2021-45698 (An issue was discovered in the ckb crate before 0.40.0 for
Rust. A get ...)
- TODO: check
+ NOT-FOR-US: Rust crate ckb
CVE-2021-45697 (An issue was discovered in the molecule crate before 0.7.2 for
Rust. A ...)
- TODO: check
+ NOT-FOR-US: Rust crate molecule
CVE-2021-45696 (An issue was discovered in the sha2 crate 0.9.7 before 0.9.8
for Rust. ...)
TODO: check
CVE-2021-45695 (An issue was discovered in the mopa crate through 2021-06-01
for Rust. ...)
- TODO: check
+ NOT-FOR-US: Rust crate mopa
CVE-2021-45694 (An issue was discovered in the rdiff crate through 2021-02-03
for Rust ...)
- TODO: check
+ NOT-FOR-US: Rust crate rdiff
CVE-2021-45693 (An issue was discovered in the messagepack-rs crate through
2021-01-26 ...)
- TODO: check
+ NOT-FOR-US: Rust crate messagepack-rs
CVE-2021-45692 (An issue was discovered in the messagepack-rs crate through
2021-01-26 ...)
- TODO: check
+ NOT-FOR-US: Rust crate messagepack-rs
CVE-2021-45691 (An issue was discovered in the messagepack-rs crate through
2021-01-26 ...)
- TODO: check
+ NOT-FOR-US: Rust crate messagepack-rs
CVE-2021-45690 (An issue was discovered in the messagepack-rs crate through
2021-01-26 ...)
- TODO: check
+ NOT-FOR-US: Rust crate messagepack-rs
CVE-2021-45689 (An issue was discovered in the gfx-auxil crate through
2021-01-07 for ...)
- TODO: check
+ NOT-FOR-US: Rust crate gfx-auxil
CVE-2021-45688 (An issue was discovered in the ash crate before 0.33.1 for
Rust. util: ...)
- TODO: check
+ NOT-FOR-US: Rust crate ash
CVE-2021-45687 (An issue was discovered in the raw-cpuid crate before 9.1.1
for Rust. ...)
- TODO: check
+ NOT-FOR-US: Rust crate raw-cpuid
CVE-2021-45686 (An issue was discovered in the csv-sniffer crate through
2021-01-05 fo ...)
- TODO: check
+ NOT-FOR-US: Rust crate csv-sniffer
CVE-2021-45685 (An issue was discovered in the columnar crate through
2021-01-07 for R ...)
TODO: check
CVE-2021-45684 (An issue was discovered in the flumedb crate through
2021-01-07 for Ru ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2d6685751c82a2e3f564d4d2ba5a63acf39240f
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2d6685751c82a2e3f564d4d2ba5a63acf39240f
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
