CVE-2021-3522: GStreamer before 1.18.4 may perform an out-of-bounds read when handling certain ID3v2 tags. This vulnerability is listed at URL and openjfx doesn't depend on an external gstreamer, does this affect our openjfx?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e18fbd00f235dd87479fde7ea039a6b8339f8f6a commit e18fbd00f235dd87479fde7ea039a6b8339f8f6a Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2021-11-18 04:48:45 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2021-11-18 04:48:45 +0000 dev-java/openjfx: add gstreamer CVE-2021-3522 fix Bug: https://bugs.gentoo.org/819633 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> .../openjfx/files/11/gstreamer-CVE-2021-3522.patch | 31 ++++++++++++++++++++++ dev-java/openjfx/openjfx-11.0.11_p1.ebuild | 1 + 2 files changed, 32 insertions(+)
yes, this file is bundled with openjfx I've added CVE patch in openjfx-11.0.11 will cleanup old versions sometime soon
~arch only so changing severity. Thanks!