Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 14 Jul 2016 11:44:33 +0530
From: Huzaifa Sidhpurwala <huzaifas@...hat.com>
To: oss-security@...ts.openwall.com,
        Mitre CVE assign department <cve-assign@...re.org>
Subject: CVE Requests: HarfBuzz - Chromium CVE issues

Hello,

Google released a chromium advisory[0], in which a bunch of harfbuzz
issues were mentioned. However only one CVE was assigned to multiple
issues as per https://bugs.chromium.org/p/chromium/issues/detail?id=544270


Looking a bit into the attached bug and going a few links down, i
realized that there are atleast 3 issues in here which are CVE worthy.
Details as follows:

1. Heap based buffer overflow:
https://github.com/behdad/harfbuzz/issues/139#issuecomment-146984679

2. Fix hmtx wrong table length check:
https://github.com/behdad/harfbuzz/issues/139#issuecomment-148289957

3. heap-buffer-overflow in hb_ot_face_metrics_accelerator_t::get_advance
https://github.com/behdad/harfbuzz/issues/156

Can MITRE please assign CVEs to these issues?

Also, assuming we still have a policy of one issue one CVE, how does
MITRE plan to handle vendors who assign one CVE to multiple non-related
issues?


[0]
http://googlechromereleases.blogspot.in/2016/01/stable-channel-update_20.html
-- 
Huzaifa Sidhpurwala / Red Hat Product Security Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ