CVE-2023-25193: hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks. Patch: https://github.com/harfbuzz/harfbuzz/commit/8708b9e081192786c027bb7f5f23d76dbe5c19e8
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a7f050bbcecb34d25f4fe76a954ff99348af562f commit a7f050bbcecb34d25f4fe76a954ff99348af562f Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2023-06-10 08:56:25 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2023-06-10 09:38:36 +0000 media-libs/harfbuzz: drop 6.0.0, 7.2.0 Bug: https://bugs.gentoo.org/905310 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> media-libs/harfbuzz/Manifest | 2 - .../harfbuzz/files/harfbuzz-6.0.0-gcc-13.patch | 26 ------ media-libs/harfbuzz/harfbuzz-6.0.0.ebuild | 102 --------------------- media-libs/harfbuzz/harfbuzz-7.2.0.ebuild | 97 -------------------- 4 files changed, 227 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=35d8ccba61b3d6d50144bdcc72571f3375a6ad51 commit 35d8ccba61b3d6d50144bdcc72571f3375a6ad51 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-07-10 06:11:01 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-07-10 06:11:14 +0000 [ GLSA 202407-24 ] HarfBuzz: Denial of Service Bug: https://bugs.gentoo.org/905310 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202407-24.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+)
