799791 – (CVE-2021-36081) app-text/tesseract: use after free vulnerability (CVE-2021-36081)

Bug 799791 (CVE-2021-36081) - app-text/tesseract: use after free vulnerability (CVE-2021-36081)

Summary: app-text/tesseract: use after free vulnerability (CVE-2021-36081)

Status:	CONFIRMED

Alias:	CVE-2021-36081

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://bugs.chromium.org/p/oss-fuzz/...
Whiteboard:	B3 [ebuild]
Keywords:

Depends on:
Blocks:

Reported:	2021-07-02 01:47 UTC by John Helmert III
Modified:	2021-08-26 22:02 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-07-02 01:47:15 UTC

CVE-2021-36081:

Tesseract OCR 5.0.0-alpha-20201231 has a one_ell_conflict use-after-free during a strpbrk call.


Fixed commit according to oss-fuzz: https://github.com/tesseract-ocr/tesseract/commit/e6f15621c2ab2ecbfabf656942d8ef66f03b2d55

The referenced strpbrk call doesn't appear to be in the deleted files in this
commit, so this may not be actually fixed.

Comment 1 NATTkA bot gentoo-dev

2021-07-29 17:21:11 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 2 NATTkA bot gentoo-dev

2021-07-29 17:29:19 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 3 NATTkA bot gentoo-dev

2021-07-29 17:37:16 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 4 NATTkA bot gentoo-dev

2021-07-29 17:45:22 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 17:53:27 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 18:01:20 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 7 NATTkA bot gentoo-dev

2021-07-29 18:09:42 UTC

Package list is empty or all packages have requested keywords.

Comment 8 Bernard Cafarelli gentoo-dev

2021-08-26 20:25:17 UTC

I have trouble finding where this use-after-free is, I do not *think* this was present in stable releases (4.x) and it is considered ok in current 5.0 beta if I read correctly?

Comment 9 John Helmert III archtester

2021-08-26 22:02:45 UTC

(In reply to Bernard Cafarelli from comment #8)
> I have trouble finding where this use-after-free is, I do not *think* this
> was present in stable releases (4.x) and it is considered ok in current 5.0
> beta if I read correctly?

No, versions in CVE descriptions are almost always useless unless they explicitly state a fixed version.