Recent Vulnerabilities Research Posts Trends Blog About Contact

Source

Debian Bug report logs - #1019602
texlive-bin: CVE-2022-35486 CVE-2022-35485 CVE-2022-35484 CVE-2022-35483 CVE-2022-35482 CVE-2022-35481 CVE-2022-35479 CVE-2022-35478 CVE-2022-35477 CVE-2022-35476 CVE-2022-35475 CVE-2022-35474 CVE-2022-35473 CVE-2022-35472 CVE-2022-35471 CVE-2022-35470 CVE-2022-35469 CVE-2022-35468 CVE-2022-35467 CVE-2022-35466 CVE-2022-35465 CVE-2022-35464 CVE-2022-35463 CVE-2022-35462 CVE-2022-35461 CVE-2022-35460 CVE-2022-35459 CVE-2022-35458

Package: src:texlive-bin; Maintainer for src:texlive-bin is Debian TeX Task Force <debian-tex-maint@lists.debian.org>;

Reported by: Moritz Mühlenhoff <jmm@inutil.org>

Date: Mon, 12 Sep 2022 20:51:02 UTC

Severity: important

Tags: security, upstream

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian TeX Task Force <debian-tex-maint@lists.debian.org>:
Bug#1019602; Package src:texlive-bin. (Mon, 12 Sep 2022 20:51:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian TeX Task Force <debian-tex-maint@lists.debian.org>. (Mon, 12 Sep 2022 20:51:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: texlive-bin
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for OFTCC, which starting
with some texlive release after Bullseye gets included in texlive
(web2c/mfluadir):

https://cvjark.github.io/2022/07/06/CVE-2022-33047/

CVE-2022-35486[0]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x6badae.

CVE-2022-35485[1]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x703969.

CVE-2022-35484[2]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x6b6a8f.

CVE-2022-35483[3]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x5266a8.

CVE-2022-35482[4]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x65f724.

CVE-2022-35481[5]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /multiarch/memmove-vec-unaligned-erms.S.

CVE-2022-35479[6]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x4fbbb6.

CVE-2022-35478[7]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x6babea.

CVE-2022-35477[8]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x4fe954.

CVE-2022-35476[9]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x4fbc0b.

CVE-2022-35475[10]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6e41a8.

CVE-2022-35474[11]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6b544e.

CVE-2022-35473[12]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /release-x64/otfccdump+0x4fe9a7.

CVE-2022-35472[13]:
| OTFCC v0.10.4 was discovered to contain a global overflow via
| /release-x64/otfccdump+0x718693.

CVE-2022-35471[14]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6e41b0.

CVE-2022-35470[15]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x65fc97.

CVE-2022-35469[16]:
| OTFCC v0.10.4 was discovered to contain a segmentation violation via
| /x86_64-linux-gnu/libc.so.6+0xbb384.

CVE-2022-35468[17]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6e420d.

CVE-2022-35467[18]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6e41b8.

CVE-2022-35466[19]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6c0473.

CVE-2022-35465[20]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6c0414.

CVE-2022-35464[21]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6171b2.

CVE-2022-35463[22]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6b0478.

CVE-2022-35462[23]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6c0bc3.

CVE-2022-35461[24]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6c0a32.

CVE-2022-35460[25]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x61731f.

CVE-2022-35459[26]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6e412a.

CVE-2022-35458[27]:
| OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via
| /release-x64/otfccdump+0x6b05ce.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-35486
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35486
[1] https://security-tracker.debian.org/tracker/CVE-2022-35485
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35485
[2] https://security-tracker.debian.org/tracker/CVE-2022-35484
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35484
[3] https://security-tracker.debian.org/tracker/CVE-2022-35483
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35483
[4] https://security-tracker.debian.org/tracker/CVE-2022-35482
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35482
[5] https://security-tracker.debian.org/tracker/CVE-2022-35481
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35481
[6] https://security-tracker.debian.org/tracker/CVE-2022-35479
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35479
[7] https://security-tracker.debian.org/tracker/CVE-2022-35478
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35478
[8] https://security-tracker.debian.org/tracker/CVE-2022-35477
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35477
[9] https://security-tracker.debian.org/tracker/CVE-2022-35476
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35476
[10] https://security-tracker.debian.org/tracker/CVE-2022-35475
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35475
[11] https://security-tracker.debian.org/tracker/CVE-2022-35474
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35474
[12] https://security-tracker.debian.org/tracker/CVE-2022-35473
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35473
[13] https://security-tracker.debian.org/tracker/CVE-2022-35472
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35472
[14] https://security-tracker.debian.org/tracker/CVE-2022-35471
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35471
[15] https://security-tracker.debian.org/tracker/CVE-2022-35470
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35470
[16] https://security-tracker.debian.org/tracker/CVE-2022-35469
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35469
[17] https://security-tracker.debian.org/tracker/CVE-2022-35468
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35468
[18] https://security-tracker.debian.org/tracker/CVE-2022-35467
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35467
[19] https://security-tracker.debian.org/tracker/CVE-2022-35466
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35466
[20] https://security-tracker.debian.org/tracker/CVE-2022-35465
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35465
[21] https://security-tracker.debian.org/tracker/CVE-2022-35464
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35464
[22] https://security-tracker.debian.org/tracker/CVE-2022-35463
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35463
[23] https://security-tracker.debian.org/tracker/CVE-2022-35462
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35462
[24] https://security-tracker.debian.org/tracker/CVE-2022-35461
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35461
[25] https://security-tracker.debian.org/tracker/CVE-2022-35460
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35460
[26] https://security-tracker.debian.org/tracker/CVE-2022-35459
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35459
[27] https://security-tracker.debian.org/tracker/CVE-2022-35458
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35458

Please adjust the affected versions in the BTS as needed.

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 13 Sep 2022 04:24:11 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Sep 13 13:21:03 2022; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

Vulmon Search

About

Products

Connect