Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits: a2d66857 by Moritz Muehlenhoff at 2022-01-03T15:53:17+01:00 new libgrokj2k, openexr issues NFUs - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -136,11 +136,11 @@ CVE-2021-45948 (Open Asset Import Library (aka assimp) 5.1.0 and 5.1.1 has a hea NOTE: https://github.com/assimp/assimp/pull/4146 NOTE: https://github.com/assimp/assimp/commit/30f17aa2064b86c0096f0ec701b9e8ea9312fef2 (v5.1.0) CVE-2021-45947 (Wasm3 0.5.0 has an out-of-bounds write in Runtime_Release (called from ...) - TODO: check + NOT-FOR-US: wasm3 CVE-2021-45946 (Wasm3 0.5.0 has an out-of-bounds write in CompileBlock (called from Co ...) - TODO: check + NOT-FOR-US: wasm3 CVE-2021-45945 (uWebSockets 19.0.0 through 20.8.0 has an out-of-bounds write in std::_ ...) - TODO: check + NOT-FOR-US: uWebSockets CVE-2021-45944 (Ghostscript GhostPDL 9.50 through 9.53.3 has a use-after-free in sampl ...) - ghostscript <unfixed> NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29903 @@ -156,7 +156,9 @@ CVE-2021-45943 (GDAL 3.3.0 through 3.4.0 has a heap-based buffer overflow in PCI NOTE: https://github.com/OSGeo/gdal/commit/9b2bcbc47d1649adc0ab65b801f96f56156cf017 (v3.4.1RC1) NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/gdal/OSV-2021-1651.yaml CVE-2021-45942 (OpenEXR 3.1.0 through 3.1.3 has a heap-based buffer overflow in Imf_3_ ...) - TODO: check + - openexr <unfixed> + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41416 + NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/db217f29dfb24f6b4b5100c24ac5e7490e1c57d0 CVE-2021-45941 (libbpf 0.6.0 and 0.6.1 has a heap-based buffer overflow (8 bytes) in _ ...) - libbpf <unfixed> NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40957 @@ -168,21 +170,23 @@ CVE-2021-45940 (libbpf 0.6.0 and 0.6.1 has a heap-based buffer overflow (4 bytes NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libbpf/OSV-2021-1562.yaml TODO: check details on fixing commit upstream, furthermore intorducing commit is only when oss-fuzz started CVE-2021-45939 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in MqttClient_De ...) - TODO: check + NOT-FOR-US: uWebSockets CVE-2021-45938 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in MqttClient_De ...) - TODO: check + NOT-FOR-US: wolfMQTT CVE-2021-45937 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in MqttClient_De ...) - TODO: check + NOT-FOR-US: wolfMQTT CVE-2021-45936 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in MqttDecode_Di ...) - TODO: check + NOT-FOR-US: wolfMQTT CVE-2021-45935 (Grok 9.5.0 has a heap-based buffer overflow in openhtj2k::T1OpenHTJ2K: ...) - TODO: check + - libgrokj2k <unfixed> + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39021 + NOTE: Referenced fix isn't in the upstream repo CVE-2021-45934 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in MqttClient_De ...) - TODO: check + NOT-FOR-US: wolfMQTT CVE-2021-45933 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow (8 bytes) in Mqt ...) - TODO: check + NOT-FOR-US: wolfMQTT CVE-2021-45932 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow (4 bytes) in Mqt ...) - TODO: check + NOT-FOR-US: wolfMQTT CVE-2021-45931 (HarfBuzz 2.9.0 has an out-of-bounds write in hb_bit_set_invertible_t:: ...) - harfbuzz <undetermined> NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37425 @@ -200,7 +204,7 @@ CVE-2021-45930 (Qt SVG in Qt 5.0.0 through 5.15.2 and 6.0.0 through 6.2.1 has an NOTE: https://github.com/qt/qtsvg/commit/a3b753c2d077313fc9eb93af547051b956e383fc (v5.12.12) TODO: check if impact present for qt4-x11, furthermore while fixed in 5.12.12 it is not in 5.15.y. CVE-2021-45929 (Wasm3 0.5.0 has an out-of-bounds write in CompileBlock (called from Co ...) - TODO: check + NOT-FOR-US: wasm3 CVE-2021-45928 (libjxl b02d6b9, as used in libvips 8.11 through 8.11.2 and other produ ...) - jpeg-xl <not-affected> (Vulnerable code not present in a released Debian version; fixed before inital upload to Debian) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36456 @@ -892,75 +896,75 @@ CVE-2021-4180 CVE-2021-4179 (livehelperchat is vulnerable to Improper Neutralization of Input Durin ...) NOT-FOR-US: livehelperchat CVE-2021-45720 (An issue was discovered in the lru crate before 0.7.1 for Rust. The it ...) - TODO: check + NOT-FOR-US: Rust crate lru CVE-2021-45719 (An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and ...) - TODO: check + NOT-FOR-US: Rust crate rusqlite CVE-2021-45718 (An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and ...) - TODO: check + NOT-FOR-US: Rust crate rusqlite CVE-2021-45717 (An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and ...) - TODO: check + NOT-FOR-US: Rust crate rusqlite CVE-2021-45716 (An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and ...) - TODO: check + NOT-FOR-US: Rust crate rusqlite CVE-2021-45715 (An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and ...) - TODO: check + NOT-FOR-US: Rust crate rusqlite CVE-2021-45714 (An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and ...) - TODO: check + NOT-FOR-US: Rust crate rusqlite CVE-2021-45713 (An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and ...) - TODO: check + NOT-FOR-US: Rust crate rusqlite CVE-2021-45712 (An issue was discovered in the rust-embed crate before 6.3.0 for Rust. ...) - TODO: check + NOT-FOR-US: Rust crate rust-embed CVE-2021-45711 (An issue was discovered in the simple_asn1 crate 0.6.0 before 0.6.1 fo ...) - TODO: check + NOT-FOR-US: Rust crate simple_asn1 CVE-2021-45710 (An issue was discovered in the tokio crate before 1.8.4, and 1.9.x thr ...) TODO: check CVE-2021-45709 (An issue was discovered in the crypto2 crate through 2021-10-08 for Ru ...) - TODO: check + NOT-FOR-US: Rust crate crypto2 CVE-2021-45708 (An issue was discovered in the abomonation crate through 2021-10-17 fo ...) - TODO: check + NOT-FOR-US: Rust crate abomonation CVE-2021-45707 (An issue was discovered in the nix crate before 0.20.2, 0.21.x before ...) TODO: check CVE-2021-45706 (An issue was discovered in the zeroize_derive crate before 1.1.1 for R ...) - TODO: check + NOT-FOR-US: Rust crate zeroize_derive CVE-2021-45705 (An issue was discovered in the nanorand crate before 0.6.1 for Rust. T ...) - TODO: check + NOT-FOR-US: Rust crate nanorand CVE-2021-45704 (An issue was discovered in the metrics-util crate before 0.7.0 for Rus ...) - TODO: check + NOT-FOR-US: Rust crate metrics-util CVE-2021-45703 (An issue was discovered in the tectonic_xdv crate before 0.1.12 for Ru ...) - TODO: check + NOT-FOR-US: Rust crate tectonic_xdv CVE-2021-45702 (An issue was discovered in the tremor-script crate before 0.11.6 for R ...) - TODO: check + NOT-FOR-US: Rust crate tremor-script CVE-2021-45701 (An issue was discovered in the tremor-script crate before 0.11.6 for R ...) - TODO: check + NOT-FOR-US: Rust crate tremor-script CVE-2021-45700 (An issue was discovered in the ckb crate before 0.40.0 for Rust. Attac ...) - TODO: check + NOT-FOR-US: Rust crate ckb CVE-2021-45699 (An issue was discovered in the ckb crate before 0.40.0 for Rust. Remot ...) - TODO: check + NOT-FOR-US: Rust crate ckb CVE-2021-45698 (An issue was discovered in the ckb crate before 0.40.0 for Rust. A get ...) - TODO: check + NOT-FOR-US: Rust crate ckb CVE-2021-45697 (An issue was discovered in the molecule crate before 0.7.2 for Rust. A ...) - TODO: check + NOT-FOR-US: Rust crate molecule CVE-2021-45696 (An issue was discovered in the sha2 crate 0.9.7 before 0.9.8 for Rust. ...) TODO: check CVE-2021-45695 (An issue was discovered in the mopa crate through 2021-06-01 for Rust. ...) - TODO: check + NOT-FOR-US: Rust crate mopa CVE-2021-45694 (An issue was discovered in the rdiff crate through 2021-02-03 for Rust ...) - TODO: check + NOT-FOR-US: Rust crate rdiff CVE-2021-45693 (An issue was discovered in the messagepack-rs crate through 2021-01-26 ...) - TODO: check + NOT-FOR-US: Rust crate messagepack-rs CVE-2021-45692 (An issue was discovered in the messagepack-rs crate through 2021-01-26 ...) - TODO: check + NOT-FOR-US: Rust crate messagepack-rs CVE-2021-45691 (An issue was discovered in the messagepack-rs crate through 2021-01-26 ...) - TODO: check + NOT-FOR-US: Rust crate messagepack-rs CVE-2021-45690 (An issue was discovered in the messagepack-rs crate through 2021-01-26 ...) - TODO: check + NOT-FOR-US: Rust crate messagepack-rs CVE-2021-45689 (An issue was discovered in the gfx-auxil crate through 2021-01-07 for ...) - TODO: check + NOT-FOR-US: Rust crate gfx-auxil CVE-2021-45688 (An issue was discovered in the ash crate before 0.33.1 for Rust. util: ...) - TODO: check + NOT-FOR-US: Rust crate ash CVE-2021-45687 (An issue was discovered in the raw-cpuid crate before 9.1.1 for Rust. ...) - TODO: check + NOT-FOR-US: Rust crate raw-cpuid CVE-2021-45686 (An issue was discovered in the csv-sniffer crate through 2021-01-05 fo ...) - TODO: check + NOT-FOR-US: Rust crate csv-sniffer CVE-2021-45685 (An issue was discovered in the columnar crate through 2021-01-07 for R ...) TODO: check CVE-2021-45684 (An issue was discovered in the flumedb crate through 2021-01-07 for Ru ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2d6685751c82a2e3f564d4d2ba5a63acf39240f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2d6685751c82a2e3f564d4d2ba5a63acf39240f You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits