CVE-2023-25193
Published: 4 February 2023
hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.
Notes
| Author | Note |
|---|---|
| rodrigo-zaiden | commit 85be877925ddbf34f74a1229f3ca1716bb6170dc that was claimed to fix the issue, got reverted in commit 661050b4659ee490dfe622821bc7fde7d1c40510, there are comments on the first discussing possible regressions. Instead, the commits listed in the patches section seems to properly fix the issue. for commit 30b84faba, _infos_set_glyph_flags() can be found as _unsafe_to_break_set_mask() for versios prior to 3.3.0, down to version 1.5.0, where the later was added. GPOS lookups (src/OT/Layout/GPOS) moved to the current code baseline in version 4.4.1, before it, some of the methods can be found in src/hb-ot-layout-gsubgpos.hh. releases prior to bionic does not have any of the code being fixed. bionic itself could be patched with some of the commits, but not all. a careful check seems necessary to evaluate if really possible to fix it. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
openjdk Launchpad, Ubuntu, Debian |
trusty |
Ignored
(end of standard support)
|
| xenial |
Ignored
(end of standard support)
|
|
| bionic |
Ignored
(end of standard support)
|
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
openjdk-8 Launchpad, Ubuntu, Debian |
trusty |
Does not exist
|
| xenial |
Not vulnerable
(code not present)
|
|
| bionic |
Not vulnerable
(code not present)
|
|
| focal |
Not vulnerable
(code not present)
|
|
| jammy |
Not vulnerable
(code not present)
|
|
| lunar |
Not vulnerable
(code not present)
|
|
| upstream |
Needs triage
|
|
|
openjdk-9 Launchpad, Ubuntu, Debian |
trusty |
Does not exist
|
| xenial |
Ignored
(no longer supported by upstream)
|
|
| bionic |
Does not exist
|
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
openjdk-lts Launchpad, Ubuntu, Debian |
trusty |
Does not exist
|
| xenial |
Does not exist
|
|
| upstream |
Needs triage
|
|
| bionic |
Released
(11.0.20+8-1ubuntu1~18.04)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| focal |
Released
(11.0.20+8-1ubuntu1~20.04)
|
|
| jammy |
Released
(11.0.20+8-1ubuntu1~22.04)
|
|
| lunar |
Released
(11.0.20+8-1ubuntu1~23.04)
|
|
|
openjdk-13 Launchpad, Ubuntu, Debian |
trusty |
Does not exist
|
| xenial |
Does not exist
|
|
| bionic |
Does not exist
|
|
| focal |
Ignored
(superseded by openjdk-17)
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
openjdk-16 Launchpad, Ubuntu, Debian |
trusty |
Does not exist
|
| xenial |
Does not exist
|
|
| bionic |
Does not exist
|
|
| focal |
Ignored
(superseded by openjdk-17)
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
openjdk-17 Launchpad, Ubuntu, Debian |
trusty |
Does not exist
|
| xenial |
Does not exist
|
|
| bionic |
Released
(17.0.8+7-1~18.04)
Available with Ubuntu Pro |
|
| focal |
Released
(17.0.8+7-1~20.04.2)
|
|
| jammy |
Released
(17.0.8+7-1~22.04)
|
|
| lunar |
Released
(17.0.8+7-1~23.04)
|
|
| upstream |
Needs triage
|
|
|
openjdk-18 Launchpad, Ubuntu, Debian |
trusty |
Does not exist
|
| xenial |
Does not exist
|
|
| bionic |
Does not exist
|
|
| focal |
Does not exist
|
|
| jammy |
Ignored
(superseded by openjdk-19)
|
|
| lunar |
Ignored
(superseded by openjdk-19)
|
|
| upstream |
Needs triage
|
|
|
openjdk-19 Launchpad, Ubuntu, Debian |
trusty |
Does not exist
|
| xenial |
Does not exist
|
|
| bionic |
Does not exist
|
|
| focal |
Does not exist
|
|
| jammy |
Ignored
(no longer supported by upstream)
|
|
| lunar |
Ignored
(superseded by openjdk-20)
|
|
| upstream |
Needs triage
|
|
|
openjdk-20 Launchpad, Ubuntu, Debian |
trusty |
Does not exist
|
| xenial |
Does not exist
|
|
| bionic |
Does not exist
|
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| lunar |
Released
(20.0.2+9+ds1-0ubuntu1~23.04)
|
|
| upstream |
Needs triage
|
|
|
openjdk-21 Launchpad, Ubuntu, Debian |
trusty |
Does not exist
|
| xenial |
Does not exist
|
|
| bionic |
Does not exist
|
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| lunar |
Needs triage
|
|
| upstream |
Needs triage
|
|
|
openjdk-22 Launchpad, Ubuntu, Debian |
trusty |
Does not exist
|
| xenial |
Does not exist
|
|
| bionic |
Does not exist
|
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
harfbuzz Launchpad, Ubuntu, Debian |
focal |
Needed
|
| jammy |
Needed
|
|
| kinetic |
Ignored
(end of life, was needed)
|
|
| trusty |
Not vulnerable
(code not present)
|
|
| xenial |
Not vulnerable
(code not present)
|
|
| bionic |
Needs triage
|
|
| upstream |
Released
(7.0.0)
|
|
| lunar |
Needed
|
|
|
Patches: upstream: https://github.com/harfbuzz/harfbuzz/commit/8708b9e081192786c027bb7f5f23d76dbe5c19e8 upstream: https://github.com/harfbuzz/harfbuzz/commit/30b84faba7811bed1b7c9828afd719f20e0086da upstream: https://github.com/harfbuzz/harfbuzz/commit/1930760bc2c2b4185a772e38b6ecc174a95a47b2 upstream: https://github.com/harfbuzz/harfbuzz/commit/64fa5cd482d0be2e215998aa1c2a05b978133e7c |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25193
- https://github.com/harfbuzz/harfbuzz/blob/2822b589bc837fae6f66233e2cf2eef0f6ce8470/src/hb-ot-layout-gsubgpos.hh
- https://chromium.googlesource.com/chromium/src/+/e1f324aa681af54101c1f2d173d92adb80e37088/DEPS#361
- https://github.com/harfbuzz/harfbuzz/commit/85be877925ddbf34f74a1229f3ca1716bb6170dc (reverted)
- https://ubuntu.com/security/notices/USN-6263-1
- https://ubuntu.com/security/notices/USN-6272-1
- NVD
- Launchpad
- Debian