Bug 2036820 (CVE-2021-45931)

Summary: CVE-2021-45931 harfbuzz: out-of-bounds write in hb_bit_set_invertible_t::set
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdettelb, caolanm, caswilli, eng-i18n-bugs, erack, erik-fedora, i18n-bugs, jburrell, jhorak, jwong, kaycoth, klember, manisandro, moceap, nobody, pnemade, psatpute, rh-spice-bugs, stransky, tpopela, tuxator
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: harfbuzz 2.9.1 Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds write flaw was found in HarfBuzz, arising from a boundary error in the hb_bit_set_invertible_t::set() function when processing untrusted input. This flaw allows an attacker to create a specially crafted file, convince the victim to open it, and trigger an out-of-bounds write. In some cases, this issue could lead to the execution of arbitrary code on the target system or, more commonly, result in a denial of service attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-02-15 07:06:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2036821, 2036822, 2040516, 2040517, 2040518    
Bug Blocks: 2036823    

Description Marian Rehak 2022-01-04 06:03:26 UTC 
An out-of-bounds write in hb_bit_set_invertible_t::set (called from hb_sparseset_t<hb_bit_set_invertible_t>::set and hb_set_copy).

External Reference:

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37425
Comment 1 Marian Rehak 2022-01-04 06:03:51 UTC 
Created harfbuzz tracking bugs for this issue:

Affects: fedora-all [bug 2036821]


Created mingw-harfbuzz tracking bugs for this issue:

Affects: fedora-all [bug 2036822]
Comment 2 Sandro Mani 2022-01-04 08:39:57 UTC 
I believe this is https://github.com/harfbuzz/harfbuzz/pull/3162, which is fixed in harfbuzz 2.9.1+
Comment 3 Parag Nemade 2022-01-04 08:47:08 UTC 
Well, I can rebase harfbuzz to 2.9.1 version in F35 not 3.0.0+ versions. The 3.0.0 version created issues in Fedora and some packages need to be fixed manually.
Comment 4 Parag Nemade 2022-01-06 11:19:06 UTC 
But where is simple reproducer that I can use and then test if above PR is really a fix?
Comment 6 Parag Nemade 2022-01-20 03:09:21 UTC 
Yesterday I spend good amount of time on this CVE issue and concluded that those Feodra/RHEL releases which have only harfbuzz-2.9.0 build are affected. So actually No Fedora release is affected by this CVE.
The code got introduced and fixed between 2.9.0 to 2.9.1 upstream release. 

So this CVE is actually NOTABUG.