Bug#1019602: texlive-bin: CVE-2022-35486 CVE-2022-35485 CVE-2022-35484 CVE-2022-35483 CVE-2022-35482 CVE-2022-35481 CVE-2022-35479 CVE-2022-35478 CVE-2022-35477 CVE-2022-35476 CVE-2022-35475 CVE-2022-35474 CVE-2022-35473 CVE-2022-35472 CVE-2022-35471 CVE-2022-35470 CVE-2022-35469 CVE-2022-35468 CVE-2022-35467 CVE-2022-35466 CVE-2022-35465 CVE-2022-35464 CVE-2022-35463 CVE-2022-35462 CVE-2022-35461 CVE-2022-35460 CVE-2022-35459 CVE-2022-35458

[Moritz Mühlenhoff <jmm@inutil.org>]

Source: texlive-bin
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for OFTCC, which starting
with some texlive release after Bullseye gets included in texlive
(web2c/mfluadir):

https://cvjark.github.io/2022/07/06/CVE-2022-33047/

CVE-2022-35486[0]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x6badae.

CVE-2022-35485[1]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x703969.

CVE-2022-35484[2]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x6b6a8f.

CVE-2022-35483[3]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x5266a8.

CVE-2022-35482[4]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x65f724.

CVE-2022-35481[5]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /multiarch/memmove-vec-unaligned-erms.S.

CVE-2022-35479[6]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x4fbbb6.

CVE-2022-35478[7]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x6babea.

CVE-2022-35477[8]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x4fe954.

CVE-2022-35476[9]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x4fbc0b.

CVE-2022-35475[10]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6e41a8.

CVE-2022-35474[11]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6b544e.

CVE-2022-35473[12]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x4fe9a7.

CVE-2022-35472[13]:
| OTFCC v0.10.4 was discovered to contain a global overflow via
| /release-x64/otfccdump+0x718693.

CVE-2022-35471[14]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6e41b0.

CVE-2022-35470[15]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x65fc97.

CVE-2022-35469[16]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /x86_64-linux-gnu/libc.so.6+0xbb384.

CVE-2022-35468[17]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6e420d.

CVE-2022-35467[18]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6e41b8.

CVE-2022-35466[19]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6c0473.

CVE-2022-35465[20]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6c0414.

CVE-2022-35464[21]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6171b2.

CVE-2022-35463[22]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6b0478.

CVE-2022-35462[23]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6c0bc3.

CVE-2022-35461[24]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6c0a32.

CVE-2022-35460[25]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x61731f.

CVE-2022-35459[26]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6e412a.

CVE-2022-35458[27]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6b05ce.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-35486
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35486
[1] https://security-tracker.debian.org/tracker/CVE-2022-35485
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35485
[2] https://security-tracker.debian.org/tracker/CVE-2022-35484
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35484
[3] https://security-tracker.debian.org/tracker/CVE-2022-35483
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35483
[4] https://security-tracker.debian.org/tracker/CVE-2022-35482
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35482
[5] https://security-tracker.debian.org/tracker/CVE-2022-35481
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35481
[6] https://security-tracker.debian.org/tracker/CVE-2022-35479
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35479
[7] https://security-tracker.debian.org/tracker/CVE-2022-35478
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35478
[8] https://security-tracker.debian.org/tracker/CVE-2022-35477
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35477
[9] https://security-tracker.debian.org/tracker/CVE-2022-35476
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35476
[10] https://security-tracker.debian.org/tracker/CVE-2022-35475
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35475
[11] https://security-tracker.debian.org/tracker/CVE-2022-35474
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35474
[12] https://security-tracker.debian.org/tracker/CVE-2022-35473
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35473
[13] https://security-tracker.debian.org/tracker/CVE-2022-35472
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35472
[14] https://security-tracker.debian.org/tracker/CVE-2022-35471
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35471
[15] https://security-tracker.debian.org/tracker/CVE-2022-35470
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35470
[16] https://security-tracker.debian.org/tracker/CVE-2022-35469
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35469
[17] https://security-tracker.debian.org/tracker/CVE-2022-35468
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35468
[18] https://security-tracker.debian.org/tracker/CVE-2022-35467
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35467
[19] https://security-tracker.debian.org/tracker/CVE-2022-35466
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35466
[20] https://security-tracker.debian.org/tracker/CVE-2022-35465
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35465
[21] https://security-tracker.debian.org/tracker/CVE-2022-35464
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35464
[22] https://security-tracker.debian.org/tracker/CVE-2022-35463
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35463
[23] https://security-tracker.debian.org/tracker/CVE-2022-35462
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35462
[24] https://security-tracker.debian.org/tracker/CVE-2022-35461
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35461
[25] https://security-tracker.debian.org/tracker/CVE-2022-35460
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35460
[26] https://security-tracker.debian.org/tracker/CVE-2022-35459
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35459
[27] https://security-tracker.debian.org/tracker/CVE-2022-35458
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35458

Please adjust the affected versions in the BTS as needed.