Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 905310 (CVE-2023-25193)

Summary: <media-libs/harfbuzz-7.1.0: DoS via excessive algorithmic complexity
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: office
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/31372
Whiteboard: A3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 905701, 906224    
Bug Blocks: 912719    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-29 18:47:36 UTC 
CVE-2023-25193:

hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.

Patch: https://github.com/harfbuzz/harfbuzz/commit/8708b9e081192786c027bb7f5f23d76dbe5c19e8
Comment 1 Larry the Git Cow gentoo-dev 2023-06-10 09:39:11 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a7f050bbcecb34d25f4fe76a954ff99348af562f

commit a7f050bbcecb34d25f4fe76a954ff99348af562f
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2023-06-10 08:56:25 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2023-06-10 09:38:36 +0000

    media-libs/harfbuzz: drop 6.0.0, 7.2.0
    
    Bug: https://bugs.gentoo.org/905310
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-libs/harfbuzz/Manifest                       |   2 -
 .../harfbuzz/files/harfbuzz-6.0.0-gcc-13.patch     |  26 ------
 media-libs/harfbuzz/harfbuzz-6.0.0.ebuild          | 102 ---------------------
 media-libs/harfbuzz/harfbuzz-7.2.0.ebuild          |  97 --------------------
 4 files changed, 227 deletions(-)