CVE-2023-25193

NameCVE-2023-25193
Descriptionhb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1030612

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
harfbuzz (PTS)bullseye2.7.4-1vulnerable
bookworm6.0.0+dfsg-3vulnerable
sid, trixie10.0.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
harfbuzzsource(unstable)8.0.0-11030612

Notes

[bookworm] - harfbuzz <no-dsa> (Minor issue)
[bullseye] - harfbuzz <no-dsa> (Minor issue)
[buster] - harfbuzz <no-dsa> (Minor issue)
Original fix: https://github.com/harfbuzz/harfbuzz/commit/85be877925ddbf34f74a1229f3ca1716bb6170dc
Reverted: https://github.com/harfbuzz/harfbuzz/commit/661050b4659ee490dfe622821bc7fde7d1c40510
Fixed by: https://github.com/harfbuzz/harfbuzz/commit/8708b9e081192786c027bb7f5f23d76dbe5c19e8 (7.0.0)

Search for package or bug name: Reporting problems