29889 – harfbuzz new security issue CVE-2021-45931

Bug 29889 - harfbuzz new security issue CVE-2021-45931

Summary: harfbuzz new security issue CVE-2021-45931

Status:	RESOLVED INVALID

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	David GEIGER
QA Contact:	Sec team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2022-01-13 17:32 CET by David Walser
Modified:	2023-06-03 18:57 CEST (History)
CC List:	2 users (show)

See Also:
Source RPM:	harfbuzz-2.7.4-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-01-13 17:32:43 CET

Fedora has issued an advisory today (January 13):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5A7TCR2MY46YK3NHQZB3SLESUH354IEA/

The issue is fixed upstream in 2.9.1.

Comment 1 Lewis Smith 2022-01-13 19:33:38 CET

A toss-up between DavidG (assigning) & Christiaan (CC'ing).

CC: (none) => cjw
Assignee: bugsquad => geiger.david68210

Comment 2 papoteur 2022-05-24 13:32:45 CEST

According to Debian
https://security-tracker.debian.org/tracker/CVE-2021-45931
> introduced in https://github.com/harfbuzz/harfbuzz/commit/f0c3804fa292ef3be41cc8d1cdea8239f00e2295 (2.9.1)
> vulnerable code not present in 2.9.0 git tag, error in CVE description
Mageia 8 has 2.7.4
Thus, I would conclude that Mageia 8 is not affected.

CC: (none) => yves.brungard_mageia

Comment 3 David Walser 2022-05-24 14:23:02 CEST

RedHat bug now says the same.  Thanks.

Status: NEW => RESOLVED
Resolution: (none) => INVALID

Kathy Barrera 2023-06-01 09:31:08 CEST

CC: (none) => herringburdensome

David Walser 2023-06-03 18:57:10 CEST

CC: herringburdensome => (none)

Note You need to log in before you can comment on or make changes to this bug.