CVE-2023-25193

NameCVE-2023-25193
Descriptionhb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1030612

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
harfbuzz (PTS)jessie, jessie (lts)0.9.35-2+deb8u1fixed
stretch1.4.2-1fixed
buster2.3.1-1vulnerable
bullseye2.7.4-1vulnerable
bookworm6.0.0+dfsg-3vulnerable
sid, trixie10.1.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
harfbuzzsourcejessie(not affected)
harfbuzzsourcestretch(not affected)
harfbuzzsource(unstable)8.0.0-11030612

Notes

[bookworm] - harfbuzz <no-dsa> (Minor issue)
[bullseye] - harfbuzz <no-dsa> (Minor issue)
[buster] - harfbuzz <no-dsa> (Minor issue)
Original fix: https://github.com/harfbuzz/harfbuzz/commit/85be877925ddbf34f74a1229f3ca1716bb6170dc
Reverted: https://github.com/harfbuzz/harfbuzz/commit/661050b4659ee490dfe622821bc7fde7d1c40510
Fixed by: https://github.com/harfbuzz/harfbuzz/commit/8708b9e081192786c027bb7f5f23d76dbe5c19e8 (7.0.0)
[stretch] - harfbuzz <not-affected> (The vulnerable code was introduced later)
[jessie] - harfbuzz <not-affected> (The vulnerable code was introduced later)

Search for package or bug name: Reporting problems