Your message dated Wed, 14 Sep 2022 15:40:24 +0200 with message-id <20220914134024.GA18052@inutil.org> and subject line Re: Bug#1019602: texlive-bin: CVE-2022-35486 CVE-2022-35485 CVE-2022-35484 CVE-2022-35483 CVE-2022-35482 CVE-2022-35481 CVE-2022-35479 CVE-2022-35478 CVE-2022-35477 CVE-2022-35476 CVE-2022-35475 CVE-2022-35474 CVE-2022-35473 CVE-2022-35472 CVE-2022-35471 CVE-2022-35470 CVE-2022-35469 CVE-2022-35468 CVE-2022-35467 CVE-2022-35466 CVE-2022-35465 CVE-2022-35464 CVE-2022-35463 CVE-2022-35462 CVE-2022-35461 CVE-2022-35460 CVE-2022-35459 CVE-2022-35458 has caused the Debian Bug report #1019602, regarding texlive-bin: CVE-2022-35486 CVE-2022-35485 CVE-2022-35484 CVE-2022-35483 CVE-2022-35482 CVE-2022-35481 CVE-2022-35479 CVE-2022-35478 CVE-2022-35477 CVE-2022-35476 CVE-2022-35475 CVE-2022-35474 CVE-2022-35473 CVE-2022-35472 CVE-2022-35471 CVE-2022-35470 CVE-2022-35469 CVE-2022-35468 CVE-2022-35467 CVE-2022-35466 CVE-2022-35465 CVE-2022-35464 CVE-2022-35463 CVE-2022-35462 CVE-2022-35461 CVE-2022-35460 CVE-2022-35459 CVE-2022-35458 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1019602: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019602 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: texlive-bin: CVE-2022-35486 CVE-2022-35485 CVE-2022-35484 CVE-2022-35483 CVE-2022-35482 CVE-2022-35481 CVE-2022-35479 CVE-2022-35478 CVE-2022-35477 CVE-2022-35476 CVE-2022-35475 CVE-2022-35474 CVE-2022-35473 CVE-2022-35472 CVE-2022-35471 CVE-2022-35470 CVE-2022-35469 CVE-2022-35468 CVE-2022-35467 CVE-2022-35466 CVE-2022-35465 CVE-2022-35464 CVE-2022-35463 CVE-2022-35462 CVE-2022-35461 CVE-2022-35460 CVE-2022-35459 CVE-2022-35458
- From: Moritz Mühlenhoff <jmm@inutil.org>
- Date: Mon, 12 Sep 2022 22:46:01 +0200
- Message-id: <[🔎] Yx+aibardhZH5Y9c@pisco.westfalen.local>
Source: texlive-bin X-Debbugs-CC: team@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for OFTCC, which starting with some texlive release after Bullseye gets included in texlive (web2c/mfluadir): https://cvjark.github.io/2022/07/06/CVE-2022-33047/ CVE-2022-35486[0]: | OTFCC v0.10.4 was discovered to contain a segmentation violation via | /release-x64/otfccdump+0x6badae. CVE-2022-35485[1]: | OTFCC v0.10.4 was discovered to contain a segmentation violation via | /release-x64/otfccdump+0x703969. CVE-2022-35484[2]: | OTFCC v0.10.4 was discovered to contain a segmentation violation via | /release-x64/otfccdump+0x6b6a8f. CVE-2022-35483[3]: | OTFCC v0.10.4 was discovered to contain a segmentation violation via | /release-x64/otfccdump+0x5266a8. CVE-2022-35482[4]: | OTFCC v0.10.4 was discovered to contain a segmentation violation via | /release-x64/otfccdump+0x65f724. CVE-2022-35481[5]: | OTFCC v0.10.4 was discovered to contain a segmentation violation via | /multiarch/memmove-vec-unaligned-erms.S. CVE-2022-35479[6]: | OTFCC v0.10.4 was discovered to contain a segmentation violation via | /release-x64/otfccdump+0x4fbbb6. CVE-2022-35478[7]: | OTFCC v0.10.4 was discovered to contain a segmentation violation via | /release-x64/otfccdump+0x6babea. CVE-2022-35477[8]: | OTFCC v0.10.4 was discovered to contain a segmentation violation via | /release-x64/otfccdump+0x4fe954. CVE-2022-35476[9]: | OTFCC v0.10.4 was discovered to contain a segmentation violation via | /release-x64/otfccdump+0x4fbc0b. CVE-2022-35475[10]: | OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via | /release-x64/otfccdump+0x6e41a8. CVE-2022-35474[11]: | OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via | /release-x64/otfccdump+0x6b544e. CVE-2022-35473[12]: | OTFCC v0.10.4 was discovered to contain a segmentation violation via | /release-x64/otfccdump+0x4fe9a7. CVE-2022-35472[13]: | OTFCC v0.10.4 was discovered to contain a global overflow via | /release-x64/otfccdump+0x718693. CVE-2022-35471[14]: | OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via | /release-x64/otfccdump+0x6e41b0. CVE-2022-35470[15]: | OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via | /release-x64/otfccdump+0x65fc97. CVE-2022-35469[16]: | OTFCC v0.10.4 was discovered to contain a segmentation violation via | /x86_64-linux-gnu/libc.so.6+0xbb384. CVE-2022-35468[17]: | OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via | /release-x64/otfccdump+0x6e420d. CVE-2022-35467[18]: | OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via | /release-x64/otfccdump+0x6e41b8. CVE-2022-35466[19]: | OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via | /release-x64/otfccdump+0x6c0473. CVE-2022-35465[20]: | OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via | /release-x64/otfccdump+0x6c0414. CVE-2022-35464[21]: | OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via | /release-x64/otfccdump+0x6171b2. CVE-2022-35463[22]: | OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via | /release-x64/otfccdump+0x6b0478. CVE-2022-35462[23]: | OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via | /release-x64/otfccdump+0x6c0bc3. CVE-2022-35461[24]: | OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via | /release-x64/otfccdump+0x6c0a32. CVE-2022-35460[25]: | OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via | /release-x64/otfccdump+0x61731f. CVE-2022-35459[26]: | OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via | /release-x64/otfccdump+0x6e412a. CVE-2022-35458[27]: | OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via | /release-x64/otfccdump+0x6b05ce. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-35486 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35486 [1] https://security-tracker.debian.org/tracker/CVE-2022-35485 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35485 [2] https://security-tracker.debian.org/tracker/CVE-2022-35484 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35484 [3] https://security-tracker.debian.org/tracker/CVE-2022-35483 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35483 [4] https://security-tracker.debian.org/tracker/CVE-2022-35482 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35482 [5] https://security-tracker.debian.org/tracker/CVE-2022-35481 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35481 [6] https://security-tracker.debian.org/tracker/CVE-2022-35479 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35479 [7] https://security-tracker.debian.org/tracker/CVE-2022-35478 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35478 [8] https://security-tracker.debian.org/tracker/CVE-2022-35477 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35477 [9] https://security-tracker.debian.org/tracker/CVE-2022-35476 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35476 [10] https://security-tracker.debian.org/tracker/CVE-2022-35475 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35475 [11] https://security-tracker.debian.org/tracker/CVE-2022-35474 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35474 [12] https://security-tracker.debian.org/tracker/CVE-2022-35473 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35473 [13] https://security-tracker.debian.org/tracker/CVE-2022-35472 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35472 [14] https://security-tracker.debian.org/tracker/CVE-2022-35471 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35471 [15] https://security-tracker.debian.org/tracker/CVE-2022-35470 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35470 [16] https://security-tracker.debian.org/tracker/CVE-2022-35469 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35469 [17] https://security-tracker.debian.org/tracker/CVE-2022-35468 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35468 [18] https://security-tracker.debian.org/tracker/CVE-2022-35467 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35467 [19] https://security-tracker.debian.org/tracker/CVE-2022-35466 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35466 [20] https://security-tracker.debian.org/tracker/CVE-2022-35465 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35465 [21] https://security-tracker.debian.org/tracker/CVE-2022-35464 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35464 [22] https://security-tracker.debian.org/tracker/CVE-2022-35463 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35463 [23] https://security-tracker.debian.org/tracker/CVE-2022-35462 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35462 [24] https://security-tracker.debian.org/tracker/CVE-2022-35461 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35461 [25] https://security-tracker.debian.org/tracker/CVE-2022-35460 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35460 [26] https://security-tracker.debian.org/tracker/CVE-2022-35459 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35459 [27] https://security-tracker.debian.org/tracker/CVE-2022-35458 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35458 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
- To: Hilmar Preuße <hille42@web.de>
- Cc: 1019602-done@bugs.debian.org
- Subject: Re: Bug#1019602: texlive-bin: CVE-2022-35486 CVE-2022-35485 CVE-2022-35484 CVE-2022-35483 CVE-2022-35482 CVE-2022-35481 CVE-2022-35479 CVE-2022-35478 CVE-2022-35477 CVE-2022-35476 CVE-2022-35475 CVE-2022-35474 CVE-2022-35473 CVE-2022-35472 CVE-2022-35471 CVE-2022-35470 CVE-2022-35469 CVE-2022-35468 CVE-2022-35467 CVE-2022-35466 CVE-2022-35465 CVE-2022-35464 CVE-2022-35463 CVE-2022-35462 CVE-2022-35461 CVE-2022-35460 CVE-2022-35459 CVE-2022-35458
- From: Moritz Muehlenhoff <jmm@inutil.org>
- Date: Wed, 14 Sep 2022 15:40:24 +0200
- Message-id: <20220914134024.GA18052@inutil.org>
- In-reply-to: <[🔎] 24d569cd-f6e2-2af7-ac0d-7e185ebb19a8@web.de>
- References: <[🔎] Yx+aibardhZH5Y9c@pisco.westfalen.local> <[🔎] 24d569cd-f6e2-2af7-ac0d-7e185ebb19a8@web.de>
On Wed, Sep 14, 2022 at 12:04:34AM +0200, Hilmar Preuße wrote: > Am 12.09.2022 um 22:46 teilte Moritz Mühlenhoff mit: > > Source: texlive-bin > > X-Debbugs-CC: team@security.debian.org > > Severity: important > > Tags: security > > Hi, > > The otfccdump binary is not build by any source package, hence we are not > affected. Yes, we carry the source code of the program, but we don't use it. > The otfcc project seems to be dead anyway: > > https://github.com/caryll/otfcc Ok, then we can simply close the bug, then. I'll mark the CVEs as non issues in the Debian security tracker. Cheers, Moritz
--- End Message ---