oss-sec mailing list archives
CVE Requests: HarfBuzz - Chromium CVE issues
From: Huzaifa Sidhpurwala <huzaifas () redhat com>
Date: Thu, 14 Jul 2016 11:44:33 +0530
Hello, Google released a chromium advisory[0], in which a bunch of harfbuzz issues were mentioned. However only one CVE was assigned to multiple issues as per https://bugs.chromium.org/p/chromium/issues/detail?id=544270 Looking a bit into the attached bug and going a few links down, i realized that there are atleast 3 issues in here which are CVE worthy. Details as follows: 1. Heap based buffer overflow: https://github.com/behdad/harfbuzz/issues/139#issuecomment-146984679 2. Fix hmtx wrong table length check: https://github.com/behdad/harfbuzz/issues/139#issuecomment-148289957 3. heap-buffer-overflow in hb_ot_face_metrics_accelerator_t::get_advance https://github.com/behdad/harfbuzz/issues/156 Can MITRE please assign CVEs to these issues? Also, assuming we still have a policy of one issue one CVE, how does MITRE plan to handle vendors who assign one CVE to multiple non-related issues? [0] http://googlechromereleases.blogspot.in/2016/01/stable-channel-update_20.html -- Huzaifa Sidhpurwala / Red Hat Product Security Team
Current thread:
- CVE Requests: HarfBuzz - Chromium CVE issues Huzaifa Sidhpurwala (Jul 13)
- Re: CVE Requests: HarfBuzz - Chromium CVE issues cve-assign (Jul 17)
- Re: Re: CVE Requests: HarfBuzz - Chromium CVE issues Huzaifa Sidhpurwala (Jul 17)
- Re: CVE Requests: HarfBuzz - Chromium CVE issues cve-assign (Jul 18)
- Re: Re: CVE Requests: HarfBuzz - Chromium CVE issues Huzaifa Sidhpurwala (Jul 17)
- Re: CVE Requests: HarfBuzz - Chromium CVE issues cve-assign (Jul 17)