Bug#1019602: marked as done (texlive-bin: CVE-2022-35486 CVE-2022-35485 CVE-2022-35484 CVE-2022-35483 CVE-2022-35482 CVE-2022-35481 CVE-2022-35479 CVE-2022-35478 CVE-2022-35477 CVE-2022-35476 CVE-2022-35475 CVE-2022-35474 CVE-2022-35473 CVE-2022-35472 CVE-2022-35471 CVE-2022-35470 CVE-2022-35469 CVE-2022-35468 CVE-2022-35467 CVE-2022-35466 CVE-2022-35465 CVE-2022-35464 CVE-2022-35463 CVE-2022-35462 CVE-2022-35461 CVE-2022-35460 CVE-2022-35459 CVE-2022-35458)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Wed, 14 Sep 2022 15:40:24 +0200
with message-id <20220914134024.GA18052@inutil.org>
and subject line Re: Bug#1019602: texlive-bin: CVE-2022-35486 CVE-2022-35485 CVE-2022-35484 CVE-2022-35483 CVE-2022-35482 CVE-2022-35481 CVE-2022-35479 CVE-2022-35478 CVE-2022-35477 CVE-2022-35476 CVE-2022-35475 CVE-2022-35474 CVE-2022-35473 CVE-2022-35472 CVE-2022-35471 CVE-2022-35470 CVE-2022-35469 CVE-2022-35468 CVE-2022-35467 CVE-2022-35466 CVE-2022-35465 CVE-2022-35464 CVE-2022-35463 CVE-2022-35462 CVE-2022-35461 CVE-2022-35460 CVE-2022-35459 CVE-2022-35458
has caused the Debian Bug report #1019602,
regarding texlive-bin: CVE-2022-35486 CVE-2022-35485 CVE-2022-35484 CVE-2022-35483 CVE-2022-35482 CVE-2022-35481 CVE-2022-35479 CVE-2022-35478 CVE-2022-35477 CVE-2022-35476 CVE-2022-35475 CVE-2022-35474 CVE-2022-35473 CVE-2022-35472 CVE-2022-35471 CVE-2022-35470 CVE-2022-35469 CVE-2022-35468 CVE-2022-35467 CVE-2022-35466 CVE-2022-35465 CVE-2022-35464 CVE-2022-35463 CVE-2022-35462 CVE-2022-35461 CVE-2022-35460 CVE-2022-35459 CVE-2022-35458
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1019602: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019602
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: texlive-bin: CVE-2022-35486 CVE-2022-35485 CVE-2022-35484 CVE-2022-35483 CVE-2022-35482 CVE-2022-35481 CVE-2022-35479 CVE-2022-35478 CVE-2022-35477 CVE-2022-35476 CVE-2022-35475 CVE-2022-35474 CVE-2022-35473 CVE-2022-35472 CVE-2022-35471 CVE-2022-35470 CVE-2022-35469 CVE-2022-35468 CVE-2022-35467 CVE-2022-35466 CVE-2022-35465 CVE-2022-35464 CVE-2022-35463 CVE-2022-35462 CVE-2022-35461 CVE-2022-35460 CVE-2022-35459 CVE-2022-35458
• From: Moritz Mühlenhoff <jmm@inutil.org>
• Date: Mon, 12 Sep 2022 22:46:01 +0200
• Message-id: <[🔎] Yx+aibardhZH5Y9c@pisco.westfalen.local>

Source: texlive-bin
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for OFTCC, which starting
with some texlive release after Bullseye gets included in texlive
(web2c/mfluadir):

https://cvjark.github.io/2022/07/06/CVE-2022-33047/

CVE-2022-35486[0]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x6badae.

CVE-2022-35485[1]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x703969.

CVE-2022-35484[2]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x6b6a8f.

CVE-2022-35483[3]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x5266a8.

CVE-2022-35482[4]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x65f724.

CVE-2022-35481[5]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /multiarch/memmove-vec-unaligned-erms.S.

CVE-2022-35479[6]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x4fbbb6.

CVE-2022-35478[7]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x6babea.

CVE-2022-35477[8]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x4fe954.

CVE-2022-35476[9]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x4fbc0b.

CVE-2022-35475[10]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6e41a8.

CVE-2022-35474[11]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6b544e.

CVE-2022-35473[12]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x4fe9a7.

CVE-2022-35472[13]:
| OTFCC v0.10.4 was discovered to contain a global overflow via
| /release-x64/otfccdump+0x718693.

CVE-2022-35471[14]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6e41b0.

CVE-2022-35470[15]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x65fc97.

CVE-2022-35469[16]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /x86_64-linux-gnu/libc.so.6+0xbb384.

CVE-2022-35468[17]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6e420d.

CVE-2022-35467[18]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6e41b8.

CVE-2022-35466[19]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6c0473.

CVE-2022-35465[20]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6c0414.

CVE-2022-35464[21]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6171b2.

CVE-2022-35463[22]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6b0478.

CVE-2022-35462[23]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6c0bc3.

CVE-2022-35461[24]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6c0a32.

CVE-2022-35460[25]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x61731f.

CVE-2022-35459[26]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6e412a.

CVE-2022-35458[27]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6b05ce.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-35486
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35486
[1] https://security-tracker.debian.org/tracker/CVE-2022-35485
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35485
[2] https://security-tracker.debian.org/tracker/CVE-2022-35484
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35484
[3] https://security-tracker.debian.org/tracker/CVE-2022-35483
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35483
[4] https://security-tracker.debian.org/tracker/CVE-2022-35482
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35482
[5] https://security-tracker.debian.org/tracker/CVE-2022-35481
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35481
[6] https://security-tracker.debian.org/tracker/CVE-2022-35479
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35479
[7] https://security-tracker.debian.org/tracker/CVE-2022-35478
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35478
[8] https://security-tracker.debian.org/tracker/CVE-2022-35477
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35477
[9] https://security-tracker.debian.org/tracker/CVE-2022-35476
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35476
[10] https://security-tracker.debian.org/tracker/CVE-2022-35475
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35475
[11] https://security-tracker.debian.org/tracker/CVE-2022-35474
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35474
[12] https://security-tracker.debian.org/tracker/CVE-2022-35473
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35473
[13] https://security-tracker.debian.org/tracker/CVE-2022-35472
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35472
[14] https://security-tracker.debian.org/tracker/CVE-2022-35471
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35471
[15] https://security-tracker.debian.org/tracker/CVE-2022-35470
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35470
[16] https://security-tracker.debian.org/tracker/CVE-2022-35469
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35469
[17] https://security-tracker.debian.org/tracker/CVE-2022-35468
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35468
[18] https://security-tracker.debian.org/tracker/CVE-2022-35467
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35467
[19] https://security-tracker.debian.org/tracker/CVE-2022-35466
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35466
[20] https://security-tracker.debian.org/tracker/CVE-2022-35465
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35465
[21] https://security-tracker.debian.org/tracker/CVE-2022-35464
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35464
[22] https://security-tracker.debian.org/tracker/CVE-2022-35463
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35463
[23] https://security-tracker.debian.org/tracker/CVE-2022-35462
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35462
[24] https://security-tracker.debian.org/tracker/CVE-2022-35461
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35461
[25] https://security-tracker.debian.org/tracker/CVE-2022-35460
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35460
[26] https://security-tracker.debian.org/tracker/CVE-2022-35459
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35459
[27] https://security-tracker.debian.org/tracker/CVE-2022-35458
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35458

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

• To: Hilmar Preuße <hille42@web.de>
• Cc: 1019602-done@bugs.debian.org
• Subject: Re: Bug#1019602: texlive-bin: CVE-2022-35486 CVE-2022-35485 CVE-2022-35484 CVE-2022-35483 CVE-2022-35482 CVE-2022-35481 CVE-2022-35479 CVE-2022-35478 CVE-2022-35477 CVE-2022-35476 CVE-2022-35475 CVE-2022-35474 CVE-2022-35473 CVE-2022-35472 CVE-2022-35471 CVE-2022-35470 CVE-2022-35469 CVE-2022-35468 CVE-2022-35467 CVE-2022-35466 CVE-2022-35465 CVE-2022-35464 CVE-2022-35463 CVE-2022-35462 CVE-2022-35461 CVE-2022-35460 CVE-2022-35459 CVE-2022-35458
• From: Moritz Muehlenhoff <jmm@inutil.org>
• Date: Wed, 14 Sep 2022 15:40:24 +0200
• Message-id: <20220914134024.GA18052@inutil.org>
• In-reply-to: <[🔎] 24d569cd-f6e2-2af7-ac0d-7e185ebb19a8@web.de>
• References: <[🔎] Yx+aibardhZH5Y9c@pisco.westfalen.local> <[🔎] 24d569cd-f6e2-2af7-ac0d-7e185ebb19a8@web.de>

On Wed, Sep 14, 2022 at 12:04:34AM +0200, Hilmar Preuße wrote:
> Am 12.09.2022 um 22:46 teilte Moritz Mühlenhoff mit:
> > Source: texlive-bin
> > X-Debbugs-CC: team@security.debian.org
> > Severity: important
> > Tags: security
> 
> Hi,
> 
> The otfccdump binary is not build by any source package, hence we are not
> affected. Yes, we carry the source code of the program, but we don't use it.
> The otfcc project seems to be dead anyway:
> 
> https://github.com/caryll/otfcc

Ok, then we can simply close the bug, then. I'll mark the CVEs as non issues
in the Debian security tracker.

Cheers,
        Moritz

--- End Message ---