Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 799791 (CVE-2021-36081) - app-text/tesseract: use after free vulnerability (CVE-2021-36081)
Summary: app-text/tesseract: use after free vulnerability (CVE-2021-36081)
Status: CONFIRMED
Alias: CVE-2021-36081
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugs.chromium.org/p/oss-fuzz/...
Whiteboard: B3 [ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-07-02 01:47 UTC by John Helmert III
Modified: 2021-08-26 22:02 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-07-02 01:47:15 UTC
CVE-2021-36081:

Tesseract OCR 5.0.0-alpha-20201231 has a one_ell_conflict use-after-free during a strpbrk call.


Fixed commit according to oss-fuzz: https://github.com/tesseract-ocr/tesseract/commit/e6f15621c2ab2ecbfabf656942d8ef66f03b2d55

The referenced strpbrk call doesn't appear to be in the deleted files in this
commit, so this may not be actually fixed.
Comment 1 NATTkA bot gentoo-dev 2021-07-29 17:21:11 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:29:19 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:37:16 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:45:22 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:53:27 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:01:20 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 18:09:42 UTC
Package list is empty or all packages have requested keywords.
Comment 8 Bernard Cafarelli gentoo-dev 2021-08-26 20:25:17 UTC
I have trouble finding where this use-after-free is, I do not *think* this was present in stable releases (4.x) and it is considered ok in current 5.0 beta if I read correctly?
Comment 9 John Helmert III gentoo-dev Security 2021-08-26 22:02:45 UTC
(In reply to Bernard Cafarelli from comment #8)
> I have trouble finding where this use-after-free is, I do not *think* this
> was present in stable releases (4.x) and it is considered ok in current 5.0
> beta if I read correctly?

No, versions in CVE descriptions are almost always useless unless they explicitly state a fixed version.