Your message dated Sun, 11 Jan 2026 00:48:46 +0000
with message-id <[email protected]>
and subject line Bug#1125189: fixed in harfbuzz 12.3.0-4
has caused the Debian Bug report #1125189,
regarding harfbuzz: CVE-2026-22693
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1125189: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125189
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: harfbuzz
Version: 12.3.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for harfbuzz.
CVE-2026-22693[0]:
| HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null
| pointer dereference vulnerability exists in the
| SubtableUnicodesCache::create function located in src/hb-ot-cmap-
| table.hh. The function fails to check if hb_malloc returns NULL
| before using placement new to construct an object at the returned
| pointer address. When hb_malloc fails to allocate memory (which can
| occur in low-memory conditions or when using custom allocators that
| simulate allocation failures), it returns NULL. The code then
| attempts to call the constructor on this null pointer using
| placement new syntax, resulting in undefined behavior and a
| Segmentation Fault. This issue has been patched in version 12.3.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-22693
https://www.cve.org/CVERecord?id=CVE-2026-22693
[1] https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-xvjr-f2r9-c7ww
[2]
https://github.com/harfbuzz/harfbuzz/commit/1265ff8d990284f04d8768f35b0e20ae5f60daae
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: harfbuzz
Source-Version: 12.3.0-4
Done: أحمد المحمودي (Ahmed El-Mahmoudy) <[email protected]>
We believe that the bug you reported is fixed in the latest version of
harfbuzz, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
أحمد المحمودي (Ahmed El-Mahmoudy) <[email protected]> (supplier
of updated harfbuzz package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 10 Jan 2026 20:27:23 +0100
Source: harfbuzz
Built-For-Profiles: noudeb
Architecture: source
Version: 12.3.0-4
Distribution: unstable
Urgency: medium
Maintainer: أحمد المحمودي (Ahmed El-Mahmoudy)
<[email protected]>
Changed-By: أحمد المحمودي (Ahmed El-Mahmoudy)
<[email protected]>
Closes: 1125189
Changes:
harfbuzz (12.3.0-4) unstable; urgency=medium
.
* Update copyright years
* Add fix-CVE-2026-22693.patch to fix CVE-2026-22693 (Closes: #1125189)
* d/control: Drop redundant Priority: optional
Checksums-Sha1:
0302a07b186c98612a062f92756d460e313df624 2573 harfbuzz_12.3.0-4.dsc
70180dbffe40216813cee34d1a7b50f7b1d5e3ff 20012 harfbuzz_12.3.0-4.debian.tar.xz
d416becbd8ea1ca03e684abebd924e99c8365328 9595
harfbuzz_12.3.0-4_source.buildinfo
Checksums-Sha256:
dddfa54aaead7b1ee5f1678178176178a754e2b1d585633c7bc6577e99313952 2573
harfbuzz_12.3.0-4.dsc
fd3efd130c213928dec5c2d25a659a2e5f663f71dd048fec396a31f264c8ddcb 20012
harfbuzz_12.3.0-4.debian.tar.xz
50593e5339879029a44ee1f565259cb6fc9206371e1e13342c3720e7594d91df 9595
harfbuzz_12.3.0-4_source.buildinfo
Files:
ce1c420447ed5aa532d725d17b976d0a 2573 libs - harfbuzz_12.3.0-4.dsc
e2b2105cf3047a23b5cd2d7fc8d6223e 20012 libs - harfbuzz_12.3.0-4.debian.tar.xz
531ee59b7ac7ea899b5ded2d6c4007b6 9595 libs - harfbuzz_12.3.0-4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFWBAEBCgBAFiEEggahliCEfm0N+LF2vBlqlO3dobcFAmli8TQiHGFlbG1haG1v
dWR5QHVzZXJzLnNvdXJjZWZvcmdlLm5ldAAKCRC8GWqU7d2ht7rgB/9n/eMEGQwV
Zyh94GYVppBUS4tLc+RsoSJsfabqbj3/qzVuZegm6HUHc6WISkgMkWZmQAyhfH84
gH6zAlt6HJGG/pfFR3Gh6H3dOOBTcZKthBwT+4t4HjoAysBdTaDsQ5hYEIvIwGQU
cvhaS6zRpMKqCqF4PMjT9mmR6bfosOz82w+KLbmyKfc7UtICxefMhLClchb98ldN
dMF/zomVMKVMkU4URBKAjbqInvuPXIxWSuhDc6S6PHV9NkKvkQ2lZL6YpCZGCb6V
DaS9i4EQ2HJhZ97oIVTbzSKYxTBgUX2taBu3p8kyKC6V4xDsMK8oi+dGglFcq76j
h0sb62vpdyVV
=2+tW
-----END PGP SIGNATURE-----
pgpSpuF0Uwcng.pgp
Description: PGP signature
--- End Message ---
