CVE-2021-36081: Tesseract OCR 5.0.0-alpha-20201231 has a one_ell_conflict use-after-free during a strpbrk call. Fixed commit according to oss-fuzz: https://github.com/tesseract-ocr/tesseract/commit/e6f15621c2ab2ecbfabf656942d8ef66f03b2d55 The referenced strpbrk call doesn't appear to be in the deleted files in this commit, so this may not be actually fixed.
Package list is empty or all packages have requested keywords.
I have trouble finding where this use-after-free is, I do not *think* this was present in stable releases (4.x) and it is considered ok in current 5.0 beta if I read correctly?
(In reply to Bernard Cafarelli from comment #8) > I have trouble finding where this use-after-free is, I do not *think* this > was present in stable releases (4.x) and it is considered ok in current 5.0 > beta if I read correctly? No, versions in CVE descriptions are almost always useless unless they explicitly state a fixed version.
Still doesn't seem like we have a fix?
Digging in the CVE links I found better report link! https://github.com/google/oss-fuzz-vulns/blob/main/vulns/tesseract-ocr/OSV-2021-211.yaml mentions a second "fixed" commit which looks more relevant than e6f15621c2ab2ecbfabf656942d8ef66f03b2d55: https://github.com/tesseract-ocr/tesseract/commit/91b2b4f4a08d4693b02838636c53a2af93397138 Fix OSS-Fuzz issue 32142 (container-overflow write) Included since 5.0.0-beta-20210815 (oldest version in tree is 5.3.0)
Ah, good find! Thank you!