Your message dated Thu, 07 May 2026 22:02:33 +0000
with message-id <[email protected]>
and subject line Bug#1125189: fixed in harfbuzz 10.2.0-1+deb13u1
has caused the Debian Bug report #1125189,
regarding harfbuzz: CVE-2026-22693
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1125189: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125189
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: harfbuzz
Version: 12.3.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for harfbuzz.
CVE-2026-22693[0]:
| HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null
| pointer dereference vulnerability exists in the
| SubtableUnicodesCache::create function located in src/hb-ot-cmap-
| table.hh. The function fails to check if hb_malloc returns NULL
| before using placement new to construct an object at the returned
| pointer address. When hb_malloc fails to allocate memory (which can
| occur in low-memory conditions or when using custom allocators that
| simulate allocation failures), it returns NULL. The code then
| attempts to call the constructor on this null pointer using
| placement new syntax, resulting in undefined behavior and a
| Segmentation Fault. This issue has been patched in version 12.3.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-22693
https://www.cve.org/CVERecord?id=CVE-2026-22693
[1] https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-xvjr-f2r9-c7ww
[2]
https://github.com/harfbuzz/harfbuzz/commit/1265ff8d990284f04d8768f35b0e20ae5f60daae
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: harfbuzz
Source-Version: 10.2.0-1+deb13u1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
harfbuzz, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated harfbuzz package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 07 May 2026 11:40:29 +0300
Source: harfbuzz
Architecture: source
Version: 10.2.0-1+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: أحمد المحمودي (Ahmed El-Mahmoudy)
<[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1125189
Changes:
harfbuzz (10.2.0-1+deb13u1) trixie; urgency=medium
.
* Non-maintainer upload.
* CVE-2026-22693: Null Pointer Dereference in SubtableUnicodesCache::create
(Closes: #1125189)
Checksums-Sha1:
896b502302c98120d4e3714aa8754068de620b73 2896 harfbuzz_10.2.0-1+deb13u1.dsc
343fd7c83aa490802f0fddb55ccf48983b33efe5 17957608 harfbuzz_10.2.0.orig.tar.xz
3bb554ca3d3d65efd760fc9449defb566a015393 20656
harfbuzz_10.2.0-1+deb13u1.debian.tar.xz
Checksums-Sha256:
bdc0f2aa593d42e09a35c1469d2cb9580f0b15bcae4e3a8c4b8ed586c4fb1032 2896
harfbuzz_10.2.0-1+deb13u1.dsc
620e3468faec2ea8685d32c46a58469b850ef63040b3565cde05959825b48227 17957608
harfbuzz_10.2.0.orig.tar.xz
7694792ba03256931cbd068b9100d5bcca1d63496434af3c30b56babddd01d90 20656
harfbuzz_10.2.0-1+deb13u1.debian.tar.xz
Files:
e619e4cecc71bba101d5993e70a9d6bd 2896 libs optional
harfbuzz_10.2.0-1+deb13u1.dsc
f68c05409f18b4a044d71628548aacd9 17957608 libs optional
harfbuzz_10.2.0.orig.tar.xz
deae2a14902fb5e2b2f0cdcdf7f38756 20656 libs optional
harfbuzz_10.2.0-1+deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmn8VKcACgkQiNJCh6LY
mLGVLg/+ILAkOXQRc5wcziyhb4t29jXdJ0etVnf0BzsqVfbzdCLOZbBq558I7R6/
I4lkLv/z076exmBFD1KjcAlzKMX+bU6NR7ptXGlb2Np2h5UySqaM89aZrJTy2Krf
Y1ZeBOTnuplomd6Qn7N9v9UyLHNzVYB5fxFDlXelsoRM00AvsLpGsWC5BspPiT/1
tZ/nVaGRLy783ZfpYfevkS2KbLuRkxkYNC0zZJD6Jeu/Q52mB0thLhURIqtgoiqz
8V9F4fT8STIwSNZMapsqH1TaPXeNXBT8YnyNbeCRBS7S7DNeSApvMpcBW9feguOR
cW0pnpE3ZgCWLWtOLluLu0sspYDgCiysATLY8PloRDvwaE8m8NQzfJgBxcrvYJvP
yU/bhSMI1dt2ngMG690C0J2bkgZPS5BEtpBucet8YlY2j1EnvjvNsNZ+Au+yJpZO
gG1QzvWXQNwZtS6TE9DE8yRsQpRBYrEcGgxv3ZXhy6VpLqPiPxtViBG5f3tSAiPI
n8S1lr+SSJp4nYoOTMh3pwb3rTF2gUZrDMmLJ5fIiUCdj2KUoVxIZjXWZejrySTI
cbc2+jvIk5B4dFv1DuhIi96iANu8JtZcDuG2qih8o76qANfCJk88lKwexFp/3wPL
ruvB6uWquNy599CQEYf3y1M9U8YaGV5SHPcXHAO0Iro+Kq2txbo=
=3rS3
-----END PGP SIGNATURE-----
pgpCsvHCHaaTP.pgp
Description: PGP signature
--- End Message ---
