Bug 30650

Summary: harfbuzz new security issues CVE-2022-33068 and CVE-2023-25193
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Thierry Vignaud <thierry.vignaud>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: geiger.david68210, nicolas.salguero
Version: 8   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: harfbuzz-2.7.4-1.mga8.src.rpm CVE:
Status comment: Fixed upstream in 7.0.0

Description David Walser 2022-07-18 18:14:42 CEST 
Fedora has issued an advisory on July 17:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FQBJ24W6TXLSAQWCFW7IBGUMX4AJI3S4/

The issue is fixed upstream in 4.4.0.

Mageia 8 is also affected.
David Walser 2022-07-18 18:14:52 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 4.4.0

Comment 1 Lewis Smith 2022-07-18 21:30:55 CEST 
Assigning to tv since you did all the most recent version updates for this, so it is a chemin connu.

Assignee: bugsquad => thierry.vignaud

Comment 2 David Walser 2022-07-20 15:46:04 CEST 
Ubuntu has issued an advisory for this on July 19:
https://ubuntu.com/security/notices/USN-5524-1
Comment 3 David Walser 2022-08-04 19:25:34 CEST 
openSUSE has issued an advisory for this today (August 4):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VCJNJQSKWM62QM7KUZI7LSAXOK4ALXQN/
Comment 4 David Walser 2023-03-14 16:47:20 CET 
Fedora has issued an advisory today (March 14):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YZ5M2GSAIHFPLHYJXUPQ2QDJCLWXUGO3/

The issue is fixed upstream in 7.0.0.

Mageia 8 is also affected.

Summary: harfbuzz new security issue CVE-2022-33068 => harfbuzz new security issues CVE-2022-33068 and CVE-2023-25193
Status comment: Fixed upstream in 4.4.0 => Fixed upstream in 7.0.0

Comment 5 David GEIGER 2023-03-14 17:43:59 CET 
For Cauldron we currently have harfbuzz-7.0.1-1.mga9

CC: (none) => geiger.david68210

Comment 6 David Walser 2023-03-14 18:09:12 CET 
Indeed.

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Source RPM: harfbuzz-4.3.0-2.mga9.src.rpm => harfbuzz-2.7.4-1.mga8.src.rpm

Comment 7 David Walser 2023-04-17 15:17:56 CEST 
(In reply to David Walser from comment #4)
> Fedora has issued an advisory today (March 14):
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/YZ5M2GSAIHFPLHYJXUPQ2QDJCLWXUGO3/
> 
> The issue is fixed upstream in 7.0.0.
> 
> Mageia 8 is also affected.

SUSE has issued an advisory for this on April 14:
https://lists.suse.com/pipermail/sle-security-updates/2023-April/014462.html
Comment 8 Nicolas Salguero 2024-01-12 09:59:53 CET 
Mageia 8 EOL

CC: (none) => nicolas.salguero
Resolution: (none) => OLD
Status: NEW => RESOLVED