Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 14 Jul 2016 11:44:33 +0530
From: Huzaifa Sidhpurwala <>
        Mitre CVE assign department <>
Subject: CVE Requests: HarfBuzz - Chromium CVE issues


Google released a chromium advisory[0], in which a bunch of harfbuzz
issues were mentioned. However only one CVE was assigned to multiple
issues as per

Looking a bit into the attached bug and going a few links down, i
realized that there are atleast 3 issues in here which are CVE worthy.
Details as follows:

1. Heap based buffer overflow:

2. Fix hmtx wrong table length check:

3. heap-buffer-overflow in hb_ot_face_metrics_accelerator_t::get_advance

Can MITRE please assign CVEs to these issues?

Also, assuming we still have a policy of one issue one CVE, how does
MITRE plan to handle vendors who assign one CVE to multiple non-related

Huzaifa Sidhpurwala / Red Hat Product Security Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ