Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 905310 (CVE-2023-25193) - <media-libs/harfbuzz-7.1.0: DoS via excessive algorithmic complexity
Summary: <media-libs/harfbuzz-7.1.0: DoS via excessive algorithmic complexity
Alias: CVE-2023-25193
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa?]
Keywords: PullRequest
Depends on: 905701 906224
Blocks: CVE-2023-22006, CVE-2023-22036, CVE-2023-22041, CVE-2023-22044, CVE-2023-22045, CVE-2023-22049
  Show dependency tree
Reported: 2023-04-29 18:47 UTC by John Helmert III
Modified: 2023-09-23 09:13 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-29 18:47:36 UTC

hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.

Comment 1 Larry the Git Cow gentoo-dev 2023-06-10 09:39:11 UTC
The bug has been referenced in the following commit(s):

commit a7f050bbcecb34d25f4fe76a954ff99348af562f
Author:     Andreas Sturmlechner <>
AuthorDate: 2023-06-10 08:56:25 +0000
Commit:     Andreas Sturmlechner <>
CommitDate: 2023-06-10 09:38:36 +0000

    media-libs/harfbuzz: drop 6.0.0, 7.2.0
    Signed-off-by: Andreas Sturmlechner <>

 media-libs/harfbuzz/Manifest                       |   2 -
 .../harfbuzz/files/harfbuzz-6.0.0-gcc-13.patch     |  26 ------
 media-libs/harfbuzz/harfbuzz-6.0.0.ebuild          | 102 ---------------------
 media-libs/harfbuzz/harfbuzz-7.2.0.ebuild          |  97 --------------------
 4 files changed, 227 deletions(-)