35042 – harfbuzz new security issue CVE-2026-22693

Bug 35042 - harfbuzz new security issue CVE-2026-22693

Summary: harfbuzz new security issue CVE-2026-22693

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2026-01-20 15:25 CET by Nicolas Salguero
Modified:	2026-01-23 01:12 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	harfbuzz-7.0.1-1.1.mga9.src.rpm
CVE:	CVE-2026-22693
Status comment:

Flags:	herman.viaene: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-01-20 15:25:32 CET

openSUSE has issued an advisory on January 19:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/QJUDZGUEVHTL26NPJUIGPHUOUKLUMCFB/

Fix: https://github.com/harfbuzz/harfbuzz/commit/1265ff8d990284f04d8768f35b0e20ae5f60daae

Nicolas Salguero 2026-01-20 15:26:13 CET

CVE: (none) => CVE-2026-22693
Source RPM: (none) => harfbuzz-7.0.1-1.1.mga9.src.rpm
Status comment: (none) => Fixed upstream in 12.3.0 and patch available from upstream

Comment 1 Nicolas Salguero 2026-01-20 16:41:40 CET

Another reference:
https://www.openwall.com/lists/oss-security/2026/01/11/1

Comment 2 Lewis Smith 2026-01-20 20:32:52 CET

Cauldron already at version: 12.3.0.
This needs porting to M9.

Assignee: bugsquad => pkg-bugs

Comment 3 Nicolas Salguero 2026-01-21 09:48:37 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Null Pointer Dereference in SubtableUnicodesCache::create leading to DoS. (CVE-2026-22693)

References:
https://www.openwall.com/lists/oss-security/2026/01/11/1
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/QJUDZGUEVHTL26NPJUIGPHUOUKLUMCFB/
========================

Updated packages in core/updates_testing:
========================
harfbuzz-7.0.1-1.2.mga9
lib(64)harfbuzz-devel-7.0.1-1.2.mga9
lib(64)harfbuzz-gir0.0-7.0.1-1.2.mga9
lib(64)harfbuzz0-7.0.1-1.2.mga9

from SRPM:
harfbuzz-7.0.1-1.2.mga9.src.rpm

Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 12.3.0 and patch available from upstream => (none)
Status: NEW => ASSIGNED

Comment 4 Herman Viaene 2026-01-21 17:32:56 CET

MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
Ref bug 18971 for testing.
Put LibreOffice thru its paces: 12-page odt, ods with an odb as datasource (refreshed the data), LO Base application, run an odp. All works well.
The links shown in bug 18971 work OK, both id Firefox and Konquerer. Hebrew characters seem good to me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK
Flags: (none) => test_passed_mga9_64+

katnatek 2026-01-21 23:48:16 CET

Keywords: (none) => advisory

Comment 5 Thomas Andrews 2026-01-22 13:38:10 CET

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Mageia Robot 2026-01-23 01:12:25 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0015.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.