Bug#1019602: texlive-bin: CVE-2022-35486 CVE-2022-35485 CVE-2022-35484 CVE-2022-35483 CVE-2022-35482 CVE-2022-35481 CVE-2022-35479 CVE-2022-35478 CVE-2022-35477 CVE-2022-35476 CVE-2022-35475 CVE-2022-35474 CVE-2022-35473 CVE-2022-35472 CVE-2022-35471 CVE-2022-35470 CVE-2022-35469 CVE-2022-35468 CVE-2022-35467 CVE-2022-35466 CVE-2022-35465 CVE-2022-35464 CVE-2022-35463 CVE-2022-35462 CVE-2022-35461 CVE-2022-35460 CVE-2022-35459 CVE-2022-35458

To: Moritz Mühlenhoff <jmm@inutil.org>
Cc: 1019602@bugs.debian.org
Subject: Bug#1019602: texlive-bin: CVE-2022-35486 CVE-2022-35485 CVE-2022-35484 CVE-2022-35483 CVE-2022-35482 CVE-2022-35481 CVE-2022-35479 CVE-2022-35478 CVE-2022-35477 CVE-2022-35476 CVE-2022-35475 CVE-2022-35474 CVE-2022-35473 CVE-2022-35472 CVE-2022-35471 CVE-2022-35470 CVE-2022-35469 CVE-2022-35468 CVE-2022-35467 CVE-2022-35466 CVE-2022-35465 CVE-2022-35464 CVE-2022-35463 CVE-2022-35462 CVE-2022-35461 CVE-2022-35460 CVE-2022-35459 CVE-2022-35458
From: Hilmar Preuße <hille42@web.de>
Date: Wed, 14 Sep 2022 00:04:34 +0200
Message-id: <[🔎] 24d569cd-f6e2-2af7-ac0d-7e185ebb19a8@web.de>
Reply-to: Hilmar Preuße <hille42@web.de>, 1019602@bugs.debian.org
In-reply-to: <[🔎] Yx+aibardhZH5Y9c@pisco.westfalen.local>
References: <[🔎] Yx+aibardhZH5Y9c@pisco.westfalen.local> <[🔎] Yx+aibardhZH5Y9c@pisco.westfalen.local>

Am 12.09.2022 um 22:46 teilte Moritz Mühlenhoff mit:

Source: texlive-bin
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The otfccdump binary is not build by any source package, hence we arenot affected. Yes, we carry the source code of the program, but we don'tuse it. The otfcc project seems to be dead anyway:


https://github.com/caryll/otfcc

Hilmar

The following vulnerabilities were published for OFTCC, which starting
with some texlive release after Bullseye gets included in texlive
(web2c/mfluadir):

https://cvjark.github.io/2022/07/06/CVE-2022-33047/

CVE-2022-35486[0]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x6badae.

CVE-2022-35485[1]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x703969.

CVE-2022-35484[2]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x6b6a8f.

CVE-2022-35483[3]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x5266a8.

CVE-2022-35482[4]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x65f724.

CVE-2022-35481[5]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /multiarch/memmove-vec-unaligned-erms.S.

CVE-2022-35479[6]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x4fbbb6.

CVE-2022-35478[7]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x6babea.

CVE-2022-35477[8]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x4fe954.

CVE-2022-35476[9]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x4fbc0b.

CVE-2022-35475[10]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6e41a8.

CVE-2022-35474[11]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6b544e.

CVE-2022-35473[12]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x4fe9a7.

CVE-2022-35472[13]:
| OTFCC v0.10.4 was discovered to contain a global overflow via
| /release-x64/otfccdump+0x718693.

CVE-2022-35471[14]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6e41b0.

CVE-2022-35470[15]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x65fc97.

CVE-2022-35469[16]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /x86_64-linux-gnu/libc.so.6+0xbb384.

CVE-2022-35468[17]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6e420d.

CVE-2022-35467[18]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6e41b8.

CVE-2022-35466[19]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6c0473.

CVE-2022-35465[20]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6c0414.

CVE-2022-35464[21]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6171b2.

CVE-2022-35463[22]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6b0478.

CVE-2022-35462[23]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6c0bc3.

CVE-2022-35461[24]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6c0a32.

CVE-2022-35460[25]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x61731f.

CVE-2022-35459[26]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6e412a.

CVE-2022-35458[27]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6b05ce.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-35486
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35486
[1] https://security-tracker.debian.org/tracker/CVE-2022-35485
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35485
[2] https://security-tracker.debian.org/tracker/CVE-2022-35484
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35484
[3] https://security-tracker.debian.org/tracker/CVE-2022-35483
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35483
[4] https://security-tracker.debian.org/tracker/CVE-2022-35482
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35482
[5] https://security-tracker.debian.org/tracker/CVE-2022-35481
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35481
[6] https://security-tracker.debian.org/tracker/CVE-2022-35479
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35479
[7] https://security-tracker.debian.org/tracker/CVE-2022-35478
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35478
[8] https://security-tracker.debian.org/tracker/CVE-2022-35477
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35477
[9] https://security-tracker.debian.org/tracker/CVE-2022-35476
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35476
[10] https://security-tracker.debian.org/tracker/CVE-2022-35475
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35475
[11] https://security-tracker.debian.org/tracker/CVE-2022-35474
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35474
[12] https://security-tracker.debian.org/tracker/CVE-2022-35473
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35473
[13] https://security-tracker.debian.org/tracker/CVE-2022-35472
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35472
[14] https://security-tracker.debian.org/tracker/CVE-2022-35471
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35471
[15] https://security-tracker.debian.org/tracker/CVE-2022-35470
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35470
[16] https://security-tracker.debian.org/tracker/CVE-2022-35469
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35469
[17] https://security-tracker.debian.org/tracker/CVE-2022-35468
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35468
[18] https://security-tracker.debian.org/tracker/CVE-2022-35467
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35467
[19] https://security-tracker.debian.org/tracker/CVE-2022-35466
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35466
[20] https://security-tracker.debian.org/tracker/CVE-2022-35465
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35465
[21] https://security-tracker.debian.org/tracker/CVE-2022-35464
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35464
[22] https://security-tracker.debian.org/tracker/CVE-2022-35463
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35463
[23] https://security-tracker.debian.org/tracker/CVE-2022-35462
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35462
[24] https://security-tracker.debian.org/tracker/CVE-2022-35461
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35461
[25] https://security-tracker.debian.org/tracker/CVE-2022-35460
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35460
[26] https://security-tracker.debian.org/tracker/CVE-2022-35459
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35459
[27] https://security-tracker.debian.org/tracker/CVE-2022-35458
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35458

Please adjust the affected versions in the BTS as needed.



--
sigfault

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply to:

References:
- Bug#1019602: texlive-bin: CVE-2022-35486 CVE-2022-35485 CVE-2022-35484 CVE-2022-35483 CVE-2022-35482 CVE-2022-35481 CVE-2022-35479 CVE-2022-35478 CVE-2022-35477 CVE-2022-35476 CVE-2022-35475 CVE-2022-35474 CVE-2022-35473 CVE-2022-35472 CVE-2022-35471 CVE-2022-35470 CVE-2022-35469 CVE-2022-35468 CVE-2022-35467 CVE-2022-35466 CVE-2022-35465 CVE-2022-35464 CVE-2022-35463 CVE-2022-35462 CVE-2022-35461 CVE-2022-35460 CVE-2022-35459 CVE-2022-35458
  - From: Moritz Mühlenhoff <jmm@inutil.org>