CVE-2023-25193

Public on 2023-02-04

Modified on 2024-02-12

Description

hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.

Severity

Medium

CVSS v3 Base Score

5.5

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory	Status
Amazon Linux 2 - Firefox Extra	firefox			Pending Fix
Amazon Linux 1	harfbuzz			Pending Fix
Amazon Linux 2 - Core	harfbuzz	2024-07-03	ALAS2-2024-2587	Fixed
Amazon Linux 2023	harfbuzz	2023-02-21	ALAS2023-2023-111	Fixed
Amazon Linux 2 - Core	java-11-amazon-corretto	2023-07-17	ALAS2-2023-2137	Fixed
Amazon Linux 2023	java-11-amazon-corretto	2023-07-17	ALAS2023-2023-257	Fixed
Amazon Linux 2 - Java-openjdk11 Extra	java-11-openjdk			Pending Fix
Amazon Linux 2 - Core	java-17-amazon-corretto	2023-07-17	ALAS2-2023-2138	Fixed
Amazon Linux 2023	java-17-amazon-corretto	2023-07-17	ALAS2023-2023-258	Fixed
Amazon Linux 2 - Core	thunderbird	2023-03-02	ALAS2-2023-1983	Fixed

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	5.5	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
NVD	CVSSv3	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Red Hat: CVE-2023-25193 Mitre: CVE-2023-25193