https://bugzilla.redhat.com/show_bug.cgi?id=2036820
Bug ID: 2036820 Summary: CVE-2021-45931 harfbuzz: out-of-bounds write in hb_bit_set_invertible_t::set Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: mrehak@redhat.com CC: bdettelb@redhat.com, caolanm@redhat.com, caswilli@redhat.com, eng-i18n-bugs@redhat.com, erack@redhat.com, erik-fedora@vanpienbroek.nl, i18n-bugs@lists.fedoraproject.org, jburrell@redhat.com, jhorak@redhat.com, jwong@redhat.com, kaycoth@redhat.com, klember@redhat.com, manisandro@gmail.com, moceap@hotmail.com, nobody@redhat.com, pnemade@redhat.com, psatpute@redhat.com, rh-spice-bugs@redhat.com, stransky@redhat.com, tpopela@redhat.com, tuxator@o2.pl Target Milestone: --- Classification: Other
An out-of-bounds write in hb_bit_set_invertible_t::set (called from hb_sparseset_t<hb_bit_set_invertible_t>::set and hb_set_copy).
External Reference:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37425
https://bugzilla.redhat.com/show_bug.cgi?id=2036820
Marian Rehak mrehak@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |2036821, 2036822
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=2036821 [Bug 2036821] CVE-2021-45931 harfbuzz: out-of-bounds write in hb_bit_set_invertible_t::set [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2036822 [Bug 2036822] CVE-2021-45931 mingw-harfbuzz: harfbuzz: out-of-bounds write in hb_bit_set_invertible_t::set [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2036820
--- Comment #1 from Marian Rehak mrehak@redhat.com --- Created harfbuzz tracking bugs for this issue:
Affects: fedora-all [bug 2036821]
Created mingw-harfbuzz tracking bugs for this issue:
Affects: fedora-all [bug 2036822]
https://bugzilla.redhat.com/show_bug.cgi?id=2036820
Marian Rehak mrehak@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2036823
https://bugzilla.redhat.com/show_bug.cgi?id=2036820
--- Comment #2 from Sandro Mani manisandro@gmail.com --- I believe this is https://github.com/harfbuzz/harfbuzz/pull/3162, which is fixed in harfbuzz 2.9.1+
https://bugzilla.redhat.com/show_bug.cgi?id=2036820
--- Comment #3 from Parag Nemade pnemade@redhat.com --- Well, I can rebase harfbuzz to 2.9.1 version in F35 not 3.0.0+ versions. The 3.0.0 version created issues in Fedora and some packages need to be fixed manually.
https://bugzilla.redhat.com/show_bug.cgi?id=2036820
Parag Nemade pnemade@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(mrehak@redhat.com | |)
--- Comment #4 from Parag Nemade pnemade@redhat.com --- But where is simple reproducer that I can use and then test if above PR is really a fix?
https://bugzilla.redhat.com/show_bug.cgi?id=2036820
Marian Rehak mrehak@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(mrehak@redhat.com | |) |
https://bugzilla.redhat.com/show_bug.cgi?id=2036820 Bug 2036820 depends on bug 2036822, which changed state.
Bug 2036822 Summary: CVE-2021-45931 mingw-harfbuzz: harfbuzz: out-of-bounds write in hb_bit_set_invertible_t::set [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2036822
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=2036820
Garrett Tucker gtucker@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |2040517, 2040518, 2040516
https://bugzilla.redhat.com/show_bug.cgi?id=2036820
Jens Petersen petersen@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED
https://bugzilla.redhat.com/show_bug.cgi?id=2036820
--- Comment #6 from Parag Nemade pnemade@redhat.com --- Yesterday I spend good amount of time on this CVE issue and concluded that those Feodra/RHEL releases which have only harfbuzz-2.9.0 build are affected. So actually No Fedora release is affected by this CVE. The code got introduced and fixed between 2.9.0 to 2.9.1 upstream release.
So this CVE is actually NOTABUG.
https://bugzilla.redhat.com/show_bug.cgi?id=2036820 Bug 2036820 depends on bug 2036821, which changed state.
Bug 2036821 Summary: CVE-2021-45931 harfbuzz: out-of-bounds write in hb_bit_set_invertible_t::set [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2036821
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=2036820
Parag Nemade pnemade@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |NOTABUG Status|ASSIGNED |CLOSED Last Closed| |2022-02-15 07:06:01
https://bugzilla.redhat.com/show_bug.cgi?id=2036820
--- Doc Text *updated* by TEJ RATHI trathi@redhat.com --- HarfBuzz is susceptible to an out-of-bounds write flaw arising from a boundary error in the hb_bit_set_invertible_t::set() function when processing untrusted input. An attacker, by creating a specially crafted file and enticing the victim to open it, can trigger an out-of-bounds write. In some cases, this could lead to the execution of arbitrary code on the target system or, more commonly, result in a denial-of-service attack.
https://bugzilla.redhat.com/show_bug.cgi?id=2036820
TEJ RATHI trathi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |harfbuzz 2.9.1
https://bugzilla.redhat.com/show_bug.cgi?id=2036820
--- Doc Text *updated* by RaTasha Tillery-Smith rtillery@redhat.com --- An out-of-bounds write flaw was found in HarfBuzz, arising from a boundary error in the hb_bit_set_invertible_t::set() function when processing untrusted input. This flaw allows an attacker to create a specially crafted file, convince the victim to open it, and trigger an out-of-bounds write. In some cases, this issue could lead to the execution of arbitrary code on the target system or, more commonly, result in a denial of service attack.
i18n-bugs@lists.fedoraproject.org