Bug 2036820 (CVE-2021-45931) - CVE-2021-45931 harfbuzz: out-of-bounds write in hb_bit_set_invertible_t::set
Summary: CVE-2021-45931 harfbuzz: out-of-bounds write in hb_bit_set_invertible_t::set
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-45931
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2036821 2036822 2040516 2040517 2040518
Blocks: 2036823
TreeView+ depends on / blocked
 
Reported: 2022-01-04 06:03 UTC by Marian Rehak
Modified: 2024-02-16 15:20 UTC (History)
21 users (show)

Fixed In Version: harfbuzz 2.9.1
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds write flaw was found in HarfBuzz, arising from a boundary error in the hb_bit_set_invertible_t::set() function when processing untrusted input. This flaw allows an attacker to create a specially crafted file, convince the victim to open it, and trigger an out-of-bounds write. In some cases, this issue could lead to the execution of arbitrary code on the target system or, more commonly, result in a denial of service attack.
Clone Of:
Environment:
Last Closed: 2022-02-15 07:06:01 UTC
Embargoed:


Attachments (Terms of Use)

Description Marian Rehak 2022-01-04 06:03:26 UTC
An out-of-bounds write in hb_bit_set_invertible_t::set (called from hb_sparseset_t<hb_bit_set_invertible_t>::set and hb_set_copy).

External Reference:

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37425

Comment 1 Marian Rehak 2022-01-04 06:03:51 UTC
Created harfbuzz tracking bugs for this issue:

Affects: fedora-all [bug 2036821]


Created mingw-harfbuzz tracking bugs for this issue:

Affects: fedora-all [bug 2036822]

Comment 2 Sandro Mani 2022-01-04 08:39:57 UTC
I believe this is https://github.com/harfbuzz/harfbuzz/pull/3162, which is fixed in harfbuzz 2.9.1+

Comment 3 Parag Nemade 2022-01-04 08:47:08 UTC
Well, I can rebase harfbuzz to 2.9.1 version in F35 not 3.0.0+ versions. The 3.0.0 version created issues in Fedora and some packages need to be fixed manually.

Comment 4 Parag Nemade 2022-01-06 11:19:06 UTC
But where is simple reproducer that I can use and then test if above PR is really a fix?

Comment 6 Parag Nemade 2022-01-20 03:09:21 UTC
Yesterday I spend good amount of time on this CVE issue and concluded that those Feodra/RHEL releases which have only harfbuzz-2.9.0 build are affected. So actually No Fedora release is affected by this CVE.
The code got introduced and fixed between 2.9.0 to 2.9.1 upstream release. 

So this CVE is actually NOTABUG.


Note You need to log in before you can comment on or make changes to this bug.