Explore top 10 tips to secure your open-source projects now. Read More
×HarfBuzz could be made to consume resources if it opened a specially crafted font.. ========================================================================== Ubuntu Security Notice USN-7251-1 February 03, 2025 harfbuzz vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: HarfBuzz could be made to consume resources if it opened a specially crafted font. Software Description: - harfbuzz: OpenType text shaping engine Details: It was discovered that HarfBuzz incorrectly handled shaping certain fonts. A remote attacker could possibly use this issue to cause HarfBuzz to consume resources, leading to a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS libharfbuzz0b 2.7.4-1ubuntu3.2 Ubuntu 20.04 LTS libharfbuzz0b 2.6.4-1ubuntu4.3 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7251-1 CVE-2023-25193 Package Information: https://launchpad.net/ubuntu/+source/harfbuzz/2.7.4-1ubuntu3.2 https://launchpad.net/ubuntu/+source/harfbuzz/2.6.4-1ubuntu4.3 . The recent security bulletin for Ubuntu USN-7252-1 highlights a vulnerability in the GStreamer framework that can lead to excessive resource utilization on various versions.. harfbuzz updates, Ubuntu security, resource denial service, software patching. . LinuxSecurity.com Team
HarfBuzz could be made to crash or run programs as your login if it opened a specially crafted file.. ========================================================================== Ubuntu Security Notice USN-7214-1 January 16, 2025 harfbuzz vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.10 Summary: HarfBuzz could be made to crash or run programs as your login if it opened a specially crafted file. Software Description: - harfbuzz: OpenType text shaping engine Details: It was discovered that HarfBuzz incorrecty handled certain memory operations. A remote attacker could use this issue to cause HarfBuzz to crash, resulting in a denial of service, or possibly execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.10 libharfbuzz-cairo0 9.0.0-1ubuntu0.1 libharfbuzz0b 9.0.0-1ubuntu0.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7214-1 CVE-2024-56732 Package Information: https://launchpad.net/ubuntu/+source/harfbuzz/9.0.0-1ubuntu0.1 . A vulnerability in HarfBuzz could lead to crashes or arbitrary code execution; Ubuntu 24.10 users advised to upgrade.. harfbuzz, Ubuntu security, denial of service, code execution, security advisory. . Severity: Critical. LinuxSecurity.com Team
A vulnerability has been discovered in HarfBuzz, which can lead to a denial of service.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202407-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: HarfBuzz: Denial of Service Date: July 10, 2024 Bugs: #905310 ID: 202407-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been discovered in HarfBuzz, which can lead to a denial of service. Background ========== HarfBuzz is an OpenType text shaping engine. Affected packages ================= Package Vulnerable Unaffected ------------------- ------------ ------------ media-libs/harfbuzz < 7.1.0 > = 7.1.0 Description =========== Multiple vulnerabilities have been discovered in HarfBuzz. Please review the CVE identifiers referenced below for details. Impact ====== hb-ot-layout-gsubgpos.hh in HarfBuzz allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks. Workaround ========== There is no known workaround at this time. Resolution ========== All HarfBuzz users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =media-libs/harfbuzz-7.1.0" References ========== [ 1 ] CVE-2023-22006 https://nvd.nist.gov/vuln/detail/CVE-2023-22006 [ 2 ] CVE-2023-22036 https://nvd.nist.gov/vuln/detail/CVE-2023-22036 [ 3 ] CVE-2023-22041 https://nvd.nist.gov/vuln/detail/CVE-2023-22041 [ 4 ] CVE-2023-22044 https://nvd.nist.gov/vuln/detail/CVE-2023-22044 [ 5 ] CVE-2023-22045 https://nvd.nist.gov/vuln/detail/CVE-2023-22045 [ 6 ] CVE-2023-22049 https://nvd.nist.gov/vuln/detail/CVE-2023-22049 [ 7 ] CVE-2023-25193 https://nvd.nist.gov/vuln/detail/CVE-2023-25193 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202407-24 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
The container bci/openjdk was updated. The following patches have been included in this update:. SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:1148-1 Container Tags : bci/openjdk:11 , bci/openjdk:11-35.27 Container Release : 35.27 Severity : important Type : security References : 1207922 CVE-2023-25193 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1852-1 Released: Fri Apr 14 15:09:39 2023 Summary: Security update for harfbuzz Type: security Severity: important References: 1207922,CVE-2023-25193 This update for harfbuzz fixes the following issues: - CVE-2023-25193: Fixed vulnerability that allowed attackers to trigger O(n^2) growth via consecutive marks (bsc#1207922). The following package changes have been done: - libharfbuzz0-3.4.0-150400.3.6.1 updated - container:sles15-image-15.0.0-27.14.51 updated . This advisory informs users about critical security updates for the bci/openjdk container, addressing vulnerabilities that expose risk. Container Update, OpenJDK, Security Fixes. . Severity: Important. LinuxSecurity.com Team
The container bci/openjdk-devel was updated. The following patches have been included in this update:. SUSE Container Update Advisory: bci/openjdk-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:1147-1 Container Tags : bci/openjdk-devel:11 , bci/openjdk-devel:11-39.54 Container Release : 39.54 Severity : important Type : security References : 1207922 CVE-2023-25193 ----------------------------------------------------------------- The container bci/openjdk-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1852-1 Released: Fri Apr 14 15:09:39 2023 Summary: Security update for harfbuzz Type: security Severity: important References: 1207922,CVE-2023-25193 This update for harfbuzz fixes the following issues: - CVE-2023-25193: Fixed vulnerability that allowed attackers to trigger O(n^2) growth via consecutive marks (bsc#1207922). The following package changes have been done: - libharfbuzz0-3.4.0-150400.3.6.1 updated - container:bci-openjdk-11-15.4.11-35.27 updated . SUSE Container Maintenance Notice: bci/openjdk-runtime resolves critical vulnerabilities through enhancements and fixes.. SUSE Container Update, OpenJDK Security, Harfbuzz Patch. . Severity: Important. LinuxSecurity.com Team
Security fix for CVE-2023-25193 Update of HarfBuzz to 7.0.1 version (#2169172) Update of freetype to 2.13.0 version (#2168496) ---- Security fix for CVE-2023-25193, Update to 7.0.1 version (#2169172). --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2023-a48406ecd2 2023-03-14 03:31:10.484456 --------------------------------------------------------------------------------Name : qt6-qtwebengine Product : Fedora 38 Version : 6.4.2 Release : 3.fc38 URL : https://www.qt.io/ Summary : Qt6 - QtWebEngine components Description : Qt6 - QtWebEngine components. --------------------------------------------------------------------------------Update Information: Security fix for CVE-2023-25193 Update of HarfBuzz to 7.0.1 version (#2169172) Update of freetype to 2.13.0 version (#2168496) ---- Security fix for CVE-2023-25193, Update to 7.0.1 version (#2169172) --------------------------------------------------------------------------------ChangeLog: * Sun Feb 26 2023 Marek Kasik - 6.4.2-3 - Rebuild for freetype-2.13.0 --------------------------------------------------------------------------------References: [ 1 ] Bug #2167254 - CVE-2023-25193 harfbuzz: allows attackers to trigger O(n^2) growth via consecutive marks https://bugzilla.redhat.com/show_bug.cgi?id=2167254 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2023-a48406ecd2' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be foundat https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Security fix for CVE-2023-25193 Update of HarfBuzz to 7.0.1 version (#2169172) Update of freetype to 2.13.0 version (#2168496) ---- Security fix for CVE-2023-25193, Update to 7.0.1 version (#2169172). --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2023-a48406ecd2 2023-03-14 03:31:10.484456 --------------------------------------------------------------------------------Name : freetype Product : Fedora 38 Version : 2.13.0 Release : 2.fc38 URL : https://freetype.org/ Summary : A free and portable font rendering engine Description : The FreeType engine is a free and portable font rendering engine, developed to provide advanced font support for a variety of platforms and environments. FreeType is a library which can open and manages font files as well as efficiently load, hint and render individual glyphs. FreeType is not a font server or a complete text-rendering library. --------------------------------------------------------------------------------Update Information: Security fix for CVE-2023-25193 Update of HarfBuzz to 7.0.1 version (#2169172) Update of freetype to 2.13.0 version (#2168496) ---- Security fix for CVE-2023-25193, Update to 7.0.1 version (#2169172) --------------------------------------------------------------------------------ChangeLog: * Sun Feb 26 2023 Marek Kasik - 2.13.0-2 - Rebuild in side-tag - Resolves: #2168496 * Sun Feb 26 2023 Marek Kasik - 2.13.0-1 - Update to 2.13.0 - Resolves: #2168496 --------------------------------------------------------------------------------References: [ 1 ] Bug #2167254 - CVE-2023-25193 harfbuzz: allows attackers to trigger O(n^2) growth via consecutive marks https://bugzilla.redhat.com/show_bug.cgi?id=2167254 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2023-a48406ecd2' atthe command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
HarfBuzz could be made to crash if it received specially crafted input.. =========================================================================Ubuntu Security Notice USN-5746-1 November 28, 2022 harfbuzz vulnerability ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 ESM Summary: HarfBuzz could be made to crash if it received specially crafted input. Software Description: - harfbuzz: OpenType text shaping engine Details: Behzad Najjarpour Jabbari discovered that HarfBuzz incorrectly handled certain inputs. A remote attacker could possibly use this issue to cause a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 ESM: libharfbuzz-bin 1.0.1-1ubuntu0.1+esm1 libharfbuzz0b 1.0.1-1ubuntu0.1+esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5746-1 CVE-2015-9274 . Fix HarfBuzz security flaw in Ubuntu 16.04 ESM to avert Denial of Service threats from specially designed inputs.. HarfBuzz Security Patch, Ubuntu 16.04 ESM, Denial of Service, Input Validation Issue. . Severity: Critical. LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.