Bug 2063268 (CVE-2021-32434, CVE-2021-32435, CVE-2021-32436)

Summary: CVE-2021-32434 CVE-2021-32435 CVE-2021-32436 abcm2ps: multiple security vulnerabilities
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gemi, stuart
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-11 20:31:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2063269, 2063270    
Bug Blocks:    

Description Patrick Del Bello 2022-03-11 16:55:32 UTC 
Three new CVEs were found in abcm2ps package version 8.14.11:

CVE-2021-32435

Stack-based buffer overflow in the function get_key in parse.c of abcm2ps v8.14.11 allows remote attackers to cause a Denial of Service (DoS) via unspecified vectors.

https://github.com/leesavide/abcm2ps/commit/3169ace6d63f6f517a64e8df0298f44a490c4a15
https://github.com/leesavide/abcm2ps/issues/84

-

CVE-2021-32436

An out-of-bounds read in the function write_title() in subs.c of abcm2ps v8.14.11 allows remote attackers to cause a Denial of Service (DoS) via unspecified vectors.

https://github.com/leesavide/abcm2ps/commit/2f56e1179cab6affeb8afa9d6c324008fe40d8e3
https://github.com/leesavide/abcm2ps/issues/85

-

CVE-2021-32434

abcm2ps v8.14.11 was discovered to contain an out-of-bounds read in the function calculate_beam at draw.c.

https://github.com/leesavide/abcm2ps/commit/2f56e1179cab6affeb8afa9d6c324008fe40d8e3
https://github.com/leesavide/abcm2ps/issues/83
Comment 1 Patrick Del Bello 2022-03-11 16:56:31 UTC 
Created abcm2ps tracking bugs for this issue:

Affects: epel-all [bug 2063269]
Affects: fedora-all [bug 2063270]
Comment 2 Product Security DevOps Team 2022-03-11 20:31:09 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.