CVE-2021-42700: Inkscape 0.19 is vulnerable to an out-of-bounds read, which may allow an attacker to have access to unauthorized information. CVE-2021-42702: Inkscape version 0.19 can access an uninitialized pointer, which may allow an attacker to have access to unauthorized information. CVE-2021-42704: Inkscape version 0.19 is vulnerable to an out-of-bounds write, which may allow an attacker to arbitrary execute code. URL is the only reference for these CVEs, no references to upstream to verify where these issues were fixed. Unsure whether we're fixed.
These versions are long gone.
(In reply to Andreas K. Hüttel from comment #1) > These versions are long gone. Where are the patches?
> CVE-2021-42700: > > Inkscape 0.19 is vulnerable to an out-of-bounds read, which may allow an > attacker to have access to unauthorized information. https://www.cisa.gov/news-events/ics-advisories/icsa-22-132-03 "Inkscape has fixed these vulnerabilities and recommends users update to Version Inkscape 1.0 or later." > CVE-2021-42702: > > Inkscape version 0.19 can access an uninitialized pointer, which may allow > an attacker to have access to unauthorized information. https://www.cisa.gov/news-events/ics-advisories/icsa-22-132-03 Inkscape has fixed these vulnerabilities and recommends users update to Version Inkscape 1.0 or later. > CVE-2021-42704: > > Inkscape version 0.19 is vulnerable to an out-of-bounds write, which may > allow an attacker to arbitrary execute code. https://www.cisa.gov/news-events/ics-advisories/icsa-22-132-03 Inkscape has fixed these vulnerabilities and recommends users update to Version Inkscape 1.0 or later.
(In reply to Andreas K. Hüttel from comment #3) > > CVE-2021-42700: > > > > Inkscape 0.19 is vulnerable to an out-of-bounds read, which may allow an > > attacker to have access to unauthorized information. > > https://www.cisa.gov/news-events/ics-advisories/icsa-22-132-03 > "Inkscape has fixed these vulnerabilities and recommends users update to > Version Inkscape 1.0 or later." > > > > CVE-2021-42702: > > > > Inkscape version 0.19 can access an uninitialized pointer, which may allow > > an attacker to have access to unauthorized information. > > https://www.cisa.gov/news-events/ics-advisories/icsa-22-132-03 > Inkscape has fixed these vulnerabilities and recommends users update to > Version Inkscape 1.0 or later. > > > > CVE-2021-42704: > > > > Inkscape version 0.19 is vulnerable to an out-of-bounds write, which may > > allow an attacker to arbitrary execute code. > > https://www.cisa.gov/news-events/ics-advisories/icsa-22-132-03 > Inkscape has fixed these vulnerabilities and recommends users update to > Version Inkscape 1.0 or later. Why do we trust that CISA isn't using arbitrary version numbers that appear to be compatible with the CVEs? We need to be able to verify these things rather than trust seemingly arbitrary assertions by third parties.
