Bug 29889

Summary: harfbuzz new security issue CVE-2021-45931
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: David GEIGER <geiger.david68210>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: cjw, yvesbrungard
Version: 8   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: harfbuzz-2.7.4-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-01-13 17:32:43 CET 
Fedora has issued an advisory today (January 13):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5A7TCR2MY46YK3NHQZB3SLESUH354IEA/

The issue is fixed upstream in 2.9.1.
Comment 1 Lewis Smith 2022-01-13 19:33:38 CET 
A toss-up between DavidG (assigning) & Christiaan (CC'ing).

CC: (none) => cjw
Assignee: bugsquad => geiger.david68210

Comment 2 papoteur 2022-05-24 13:32:45 CEST 
According to Debian
https://security-tracker.debian.org/tracker/CVE-2021-45931
> introduced in https://github.com/harfbuzz/harfbuzz/commit/f0c3804fa292ef3be41cc8d1cdea8239f00e2295 (2.9.1)
> vulnerable code not present in 2.9.0 git tag, error in CVE description
Mageia 8 has 2.7.4
Thus, I would conclude that Mageia 8 is not affected.

CC: (none) => yves.brungard_mageia

Comment 3 David Walser 2022-05-24 14:23:02 CEST 
RedHat bug now says the same.  Thanks.

Status: NEW => RESOLVED
Resolution: (none) => INVALID

Kathy Barrera 2023-06-01 09:31:08 CEST

CC: (none) => herringburdensome

David Walser 2023-06-03 18:57:10 CEST

CC: herringburdensome => (none)