Date: Thu, 14 Jul 2016 11:44:33 +0530 From: Huzaifa Sidhpurwala <huzaifas@...hat.com> To: oss-security@...ts.openwall.com, Mitre CVE assign department <cve-assign@...re.org> Subject: CVE Requests: HarfBuzz - Chromium CVE issues Hello, Google released a chromium advisory, in which a bunch of harfbuzz issues were mentioned. However only one CVE was assigned to multiple issues as per https://bugs.chromium.org/p/chromium/issues/detail?id=544270 Looking a bit into the attached bug and going a few links down, i realized that there are atleast 3 issues in here which are CVE worthy. Details as follows: 1. Heap based buffer overflow: https://github.com/behdad/harfbuzz/issues/139#issuecomment-146984679 2. Fix hmtx wrong table length check: https://github.com/behdad/harfbuzz/issues/139#issuecomment-148289957 3. heap-buffer-overflow in hb_ot_face_metrics_accelerator_t::get_advance https://github.com/behdad/harfbuzz/issues/156 Can MITRE please assign CVEs to these issues? Also, assuming we still have a policy of one issue one CVE, how does MITRE plan to handle vendors who assign one CVE to multiple non-related issues?  http://googlechromereleases.blogspot.in/2016/01/stable-channel-update_20.html -- Huzaifa Sidhpurwala / Red Hat Product Security Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ