CVE-2023-25193
Publication date 4 February 2023
Last updated 24 July 2024
Ubuntu priority
hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| harfbuzz | 24.04 LTS noble |
Vulnerable
|
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Vulnerable
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
|
| openjdk | 24.04 LTS noble | Not in release |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Ignored | |
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Ignored | |
| openjdk-13 | 24.04 LTS noble | Not in release |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Ignored | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| openjdk-16 | 24.04 LTS noble | Not in release |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Ignored | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| openjdk-17 | 24.04 LTS noble |
Not affected
|
| 22.04 LTS jammy |
Fixed 17.0.8+7-1~22.04
|
|
| 20.04 LTS focal |
Fixed 17.0.8+7-1~20.04.2
|
|
| 18.04 LTS bionic |
Fixed 17.0.8+7-1~18.04
|
|
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| openjdk-18 | 24.04 LTS noble | Not in release |
| 22.04 LTS jammy | Ignored | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| openjdk-19 | 24.04 LTS noble | Not in release |
| 22.04 LTS jammy | Ignored | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| openjdk-20 | 24.04 LTS noble | Not in release |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| openjdk-21 | 24.04 LTS noble |
Not affected
|
| 22.04 LTS jammy |
Fixed 21.0.1+12-2~22.04
|
|
| 20.04 LTS focal |
Fixed 21.0.1+12-2~20.04
|
|
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| openjdk-22 | ||
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| openjdk-8 | 24.04 LTS noble |
Not affected
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Not in release | |
| openjdk-9 | 24.04 LTS noble | Not in release |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Not in release | |
| openjdk-lts | 24.04 LTS noble |
Fixed 11.0.20+8-1ubuntu1
|
| 22.04 LTS jammy |
Fixed 11.0.20+8-1ubuntu1~22.04
|
|
| 20.04 LTS focal |
Fixed 11.0.20+8-1ubuntu1~20.04
|
|
| 18.04 LTS bionic |
Fixed 11.0.20+8-1ubuntu1~18.04
|
|
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProNotes
rodrigo-zaiden
commit 85be877925ddbf34f74a1229f3ca1716bb6170dc that was claimed to fix the issue, got reverted in commit 661050b4659ee490dfe622821bc7fde7d1c40510, there are comments on the first discussing possible regressions. Instead, the commits listed in the patches section seems to properly fix the issue. for commit 30b84faba, _infos_set_glyph_flags() can be found as _unsafe_to_break_set_mask() for versios prior to 3.3.0, down to version 1.5.0, where the later was added. GPOS lookups (src/OT/Layout/GPOS) moved to the current code baseline in version 4.4.1, before it, some of the methods can be found in src/hb-ot-layout-gsubgpos.hh. releases prior to bionic does not have any of the code being fixed. bionic itself could be patched with some of the commits, but not all. a careful check seems necessary to evaluate if really possible to fix it.
Patch details
| Package | Patch details |
|---|---|
| harfbuzz |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-6263-1
- OpenJDK vulnerabilities
- 1 August 2023
- USN-6272-1
- OpenJDK 20 vulnerabilities
- 3 August 2023
Other references
- https://github.com/harfbuzz/harfbuzz/blob/2822b589bc837fae6f66233e2cf2eef0f6ce8470/src/hb-ot-layout-gsubgpos.hh
- https://chromium.googlesource.com/chromium/src/+/e1f324aa681af54101c1f2d173d92adb80e37088/DEPS#361
- https://github.com/harfbuzz/harfbuzz/commit/85be877925ddbf34f74a1229f3ca1716bb6170dc (reverted)
- https://www.cve.org/CVERecord?id=CVE-2023-25193