HarfBuzz: Denial of Service — GLSA 202407-24

A vulnerability has been discovered in HarfBuzz, which can lead to a denial of service.

Affected packages

Package	media-libs/harfbuzz on all architectures
Affected versions	< 7.1.0
Unaffected versions	>= 7.1.0

Background

HarfBuzz is an OpenType text shaping engine.

Description

Multiple vulnerabilities have been discovered in HarfBuzz. Please review the CVE identifiers referenced below for details.

Impact

hb-ot-layout-gsubgpos.hh in HarfBuzz allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.

Workaround

There is no known workaround at this time.

Resolution

All HarfBuzz users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-libs/harfbuzz-7.1.0"

References

CVE-2023-22006
CVE-2023-22036
CVE-2023-22041
CVE-2023-22044
CVE-2023-22045
CVE-2023-22049
CVE-2023-25193

Release date
July 10, 2024

Latest revision
July 10, 2024: 1

Severity
normal

Exploitable
local

Bugzilla entries

905310