Bug#1019602: texlive-bin: CVE-2022-35486 CVE-2022-35485 CVE-2022-35484 CVE-2022-35483 CVE-2022-35482 CVE-2022-35481 CVE-2022-35479 CVE-2022-35478 CVE-2022-35477 CVE-2022-35476 CVE-2022-35475 CVE-2022-35474 CVE-2022-35473 CVE-2022-35472 CVE-2022-35471 CVE-2022-35470 CVE-2022-35469 CVE-2022-35468 CVE-2022-35467 CVE-2022-35466 CVE-2022-35465 CVE-2022-35464 CVE-2022-35463 CVE-2022-35462 CVE-2022-35461 CVE-2022-35460 CVE-2022-35459 CVE-2022-35458
- To: submit@bugs.debian.org
- Subject: Bug#1019602: texlive-bin: CVE-2022-35486 CVE-2022-35485 CVE-2022-35484 CVE-2022-35483 CVE-2022-35482 CVE-2022-35481 CVE-2022-35479 CVE-2022-35478 CVE-2022-35477 CVE-2022-35476 CVE-2022-35475 CVE-2022-35474 CVE-2022-35473 CVE-2022-35472 CVE-2022-35471 CVE-2022-35470 CVE-2022-35469 CVE-2022-35468 CVE-2022-35467 CVE-2022-35466 CVE-2022-35465 CVE-2022-35464 CVE-2022-35463 CVE-2022-35462 CVE-2022-35461 CVE-2022-35460 CVE-2022-35459 CVE-2022-35458
- From: Moritz Mühlenhoff <jmm@inutil.org>
- Date: Mon, 12 Sep 2022 22:46:01 +0200
- Message-id: <[🔎] Yx+aibardhZH5Y9c@pisco.westfalen.local>
- Reply-to: Moritz Mühlenhoff <jmm@inutil.org>, 1019602@bugs.debian.org
Source: texlive-bin
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for OFTCC, which starting
with some texlive release after Bullseye gets included in texlive
(web2c/mfluadir):
https://cvjark.github.io/2022/07/06/CVE-2022-33047/
CVE-2022-35486[0]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x6badae.
CVE-2022-35485[1]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x703969.
CVE-2022-35484[2]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x6b6a8f.
CVE-2022-35483[3]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x5266a8.
CVE-2022-35482[4]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x65f724.
CVE-2022-35481[5]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /multiarch/memmove-vec-unaligned-erms.S.
CVE-2022-35479[6]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x4fbbb6.
CVE-2022-35478[7]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x6babea.
CVE-2022-35477[8]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x4fe954.
CVE-2022-35476[9]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x4fbc0b.
CVE-2022-35475[10]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6e41a8.
CVE-2022-35474[11]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6b544e.
CVE-2022-35473[12]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x4fe9a7.
CVE-2022-35472[13]:
| OTFCC v0.10.4 was discovered to contain a global overflow via
| /release-x64/otfccdump+0x718693.
CVE-2022-35471[14]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6e41b0.
CVE-2022-35470[15]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x65fc97.
CVE-2022-35469[16]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /x86_64-linux-gnu/libc.so.6+0xbb384.
CVE-2022-35468[17]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6e420d.
CVE-2022-35467[18]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6e41b8.
CVE-2022-35466[19]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6c0473.
CVE-2022-35465[20]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6c0414.
CVE-2022-35464[21]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6171b2.
CVE-2022-35463[22]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6b0478.
CVE-2022-35462[23]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6c0bc3.
CVE-2022-35461[24]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6c0a32.
CVE-2022-35460[25]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x61731f.
CVE-2022-35459[26]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6e412a.
CVE-2022-35458[27]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6b05ce.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-35486
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35486
[1] https://security-tracker.debian.org/tracker/CVE-2022-35485
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35485
[2] https://security-tracker.debian.org/tracker/CVE-2022-35484
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35484
[3] https://security-tracker.debian.org/tracker/CVE-2022-35483
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35483
[4] https://security-tracker.debian.org/tracker/CVE-2022-35482
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35482
[5] https://security-tracker.debian.org/tracker/CVE-2022-35481
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35481
[6] https://security-tracker.debian.org/tracker/CVE-2022-35479
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35479
[7] https://security-tracker.debian.org/tracker/CVE-2022-35478
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35478
[8] https://security-tracker.debian.org/tracker/CVE-2022-35477
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35477
[9] https://security-tracker.debian.org/tracker/CVE-2022-35476
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35476
[10] https://security-tracker.debian.org/tracker/CVE-2022-35475
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35475
[11] https://security-tracker.debian.org/tracker/CVE-2022-35474
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35474
[12] https://security-tracker.debian.org/tracker/CVE-2022-35473
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35473
[13] https://security-tracker.debian.org/tracker/CVE-2022-35472
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35472
[14] https://security-tracker.debian.org/tracker/CVE-2022-35471
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35471
[15] https://security-tracker.debian.org/tracker/CVE-2022-35470
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35470
[16] https://security-tracker.debian.org/tracker/CVE-2022-35469
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35469
[17] https://security-tracker.debian.org/tracker/CVE-2022-35468
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35468
[18] https://security-tracker.debian.org/tracker/CVE-2022-35467
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35467
[19] https://security-tracker.debian.org/tracker/CVE-2022-35466
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35466
[20] https://security-tracker.debian.org/tracker/CVE-2022-35465
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35465
[21] https://security-tracker.debian.org/tracker/CVE-2022-35464
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35464
[22] https://security-tracker.debian.org/tracker/CVE-2022-35463
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35463
[23] https://security-tracker.debian.org/tracker/CVE-2022-35462
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35462
[24] https://security-tracker.debian.org/tracker/CVE-2022-35461
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35461
[25] https://security-tracker.debian.org/tracker/CVE-2022-35460
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35460
[26] https://security-tracker.debian.org/tracker/CVE-2022-35459
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35459
[27] https://security-tracker.debian.org/tracker/CVE-2022-35458
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35458
Please adjust the affected versions in the BTS as needed.
Reply to: