HarfBuzz 拒绝服务漏洞(CVE-2023-25193)

admin

0
文章

0
评论

2023-11-30 03:44:05 Ali_nvd 来源：ZONE.CI 全球网 0 阅读模式

中危 HarfBuzz 拒绝服务漏洞(CVE-2023-25193)

CVE编号

CVE-2023-25193

利用情况

暂无

补丁情况

官方补丁

披露时间

2023-02-05

漏洞描述

HarfBuzz到6.0.0中的hb-ot-layout-gsubgpos.hh允许攻击者在附加标记时回顾基本字形的过程中通过连续标记触发O(n^2)增长。

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://chromium.googlesource.com/chromium/src/+/e1f324aa681af54101c1f2d173d9...
https://github.com/harfbuzz/harfbuzz/blob/2822b589bc837fae6f66233e2cf2eef0f6c...
https://github.com/harfbuzz/harfbuzz/commit/85be877925ddbf34f74a1229f3ca1716bb6170dc
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://security.netapp.com/advisory/ntap-20230725-0006/

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	harfbuzz_project	harfbuzz	*		Up to (including) 6.0.0
	运行在以下环境
	系统	alibaba_cloud_linux_2.1903	java-11-openjdk-demo	*		Up to (excluding) 11.0.20.0.8-1.1.al7
	运行在以下环境
	系统	alpine_3.16	openjdk11	*		Up to (excluding) 17.0.8_p7-r0
	运行在以下环境
	系统	alpine_3.17	openjdk11	*		Up to (excluding) 17.0.8_p7-r0
	运行在以下环境
	系统	alpine_3.18	openjdk11	*		Up to (excluding) 17.0.8_p7-r0
	运行在以下环境
	系统	alpine_edge	openjdk11	*		Up to (excluding) 17.0.8_p7-r0
	运行在以下环境
	系统	amazon_2	thunderbird	*		Up to (excluding) 11.0.20+8-1.amzn2
	运行在以下环境
	系统	amazon_2023	harfbuzz	*		Up to (excluding) 11.0.20+8-1.amzn2023
	运行在以下环境
	系统	anolis_os_7	java-11-openjdk-demo-debug	*		Up to (excluding) 11.0.20.0.8-1
	运行在以下环境
	系统	anolis_os_8	java-17-openjdk-demo	*		Up to (excluding) 11.0.20.0.8-3.0.1
	运行在以下环境
	系统	centos_7	java	*		Up to (excluding) 11-openjdk-demo-11.0.20.0.8-1.el7_9
	运行在以下环境
	系统	debian_10	harfbuzz	*		Up to (including) 2.3.1-1
	运行在以下环境
	系统	debian_11	harfbuzz	*		Up to (including) 2.7.4-1
	运行在以下环境
	系统	debian_12	harfbuzz	*		Up to (including) 6.0.0+dfsg-3
	运行在以下环境
	系统	debian_sid	harfbuzz	*		Up to (excluding) 8.0.0-1
	运行在以下环境
	系统	fedoraproject	fedora	36	-
	运行在以下环境
	系统	fedora_36	chromium-headless	*		Up to (excluding) 110.0.5481.77-1.fc36
	运行在以下环境
	系统	fedora_38	harfbuzz-debugsource	*		Up to (excluding) 1.17.8-2.fc38
	运行在以下环境
	系统	fedora_EPEL_7	chromium-common	*		Up to (excluding) 110.0.5481.77-1.el7
	运行在以下环境
	系统	fedora_EPEL_8	chromium-headless	*		Up to (excluding) 112.0.5615.49-1.el8
	运行在以下环境
	系统	fedora_EPEL_9	chromium-common	*		Up to (excluding) 112.0.5615.49-1.el9
	运行在以下环境
	系统	kylinos_aarch64_V10	java-11-openjdk	*		Up to (excluding) 11.0.20.0.8-1.el7_9
	运行在以下环境
	系统	kylinos_x86_64_V10	java-11-openjdk	*		Up to (excluding) 11.0.20.0.8-1.el7_9
	运行在以下环境
	系统	opensuse_5.3	libharfbuzz-gobject0	*		Up to (excluding) 3.4.0-150400.3.6.1
	运行在以下环境
	系统	opensuse_Leap_15.4	java-17-openjdk-src	*		Up to (excluding) 3.4.0-150400.3.6.1
	运行在以下环境
	系统	opensuse_Leap_15.5	java-17-openjdk-src	*		Up to (excluding) 1.8.0_sr8.10-150000.3.80.1
	运行在以下环境
	系统	oracle_7	oraclelinux-release	*		Up to (excluding) 11.0.20.0.8-1.0.1.el7_9
	运行在以下环境
	系统	oracle_8	oraclelinux-release	*		Up to (excluding) 17.0.8.0.7-2.0.1.el8
	运行在以下环境
	系统	oracle_9	oraclelinux-release	*		Up to (excluding) 11.0.20.0.8-2.0.1.el9
	运行在以下环境
	系统	redhat_7	java	*		Up to (excluding) 11-openjdk-demo-11.0.20.0.8-1.el7_9
	运行在以下环境
	系统	redhat_8	java-11-openjdk-headless	*		Up to (excluding) 17.0.8.0.7-2.el8
	运行在以下环境
系统	redhat_9	java	*		Up to (excluding) 17-openjdk-static-libs-17.0.8.0.7-2.el9
运行在以下环境
系统	suse_12_SP5	libharfbuzz-icu0	*		Up to (excluding) 11.0.20.0-3.61.1
运行在以下环境
系统	ubuntu_20.04	openjdk-17	*		Up to (excluding) 17.0.8+7-1~20.04.2
运行在以下环境
系统	ubuntu_22.04	openjdk-17	*		Up to (excluding) 17.0.8+7-1~22.04
运行在以下环境
系统	unionos_e	harfbuzz	*		Up to (excluding) harfbuzz-2.8.1-4.uel20