Your message dated Sat, 16 May 2026 10:23:17 +0000
with message-id <[email protected]>
and subject line Released with 13.5
has caused the Debian Bug report #1135904,
regarding trixie-pu: package harfbuzz/10.2.0-1+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135904: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135904
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:harfbuzz
User: [email protected]
Usertags: pu
* CVE-2026-22693: Null Pointer Dereference in SubtableUnicodesCache::create
(Closes: #1125189)
diffstat for harfbuzz-10.2.0 harfbuzz-10.2.0
changelog | 8 +++++++
patches/0001-cmap-malloc-fail-test-5710.patch | 28 ++++++++++++++++++++++++++
patches/series | 1
3 files changed, 37 insertions(+)
diff -Nru harfbuzz-10.2.0/debian/changelog harfbuzz-10.2.0/debian/changelog
--- harfbuzz-10.2.0/debian/changelog 2025-01-14 23:20:38.000000000 +0200
+++ harfbuzz-10.2.0/debian/changelog 2026-05-07 11:40:29.000000000 +0300
@@ -1,3 +1,11 @@
+harfbuzz (10.2.0-1+deb13u1) trixie; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2026-22693: Null Pointer Dereference in SubtableUnicodesCache::create
+ (Closes: #1125189)
+
+ -- Adrian Bunk <[email protected]> Thu, 07 May 2026 11:40:29 +0300
+
harfbuzz (10.2.0-1) unstable; urgency=medium
* New upstream version 10.2.0
diff -Nru harfbuzz-10.2.0/debian/patches/0001-cmap-malloc-fail-test-5710.patch
harfbuzz-10.2.0/debian/patches/0001-cmap-malloc-fail-test-5710.patch
--- harfbuzz-10.2.0/debian/patches/0001-cmap-malloc-fail-test-5710.patch
1970-01-01 02:00:00.000000000 +0200
+++ harfbuzz-10.2.0/debian/patches/0001-cmap-malloc-fail-test-5710.patch
2026-05-07 11:40:06.000000000 +0300
@@ -0,0 +1,28 @@
+From f471988ee05970d852f5187839add7ef5199cee2 Mon Sep 17 00:00:00 2001
+From: Behdad Esfahbod <[email protected]>
+Date: Fri, 9 Jan 2026 04:54:42 -0700
+Subject: [cmap] malloc fail test (#5710)
+
+Fixes
https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-xvjr-f2r9-c7ww
+---
+ src/hb-ot-cmap-table.hh | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/hb-ot-cmap-table.hh b/src/hb-ot-cmap-table.hh
+index 7a7a77ad5..e3f428695 100644
+--- a/src/hb-ot-cmap-table.hh
++++ b/src/hb-ot-cmap-table.hh
+@@ -1683,6 +1683,10 @@ struct SubtableUnicodesCache {
+ {
+ SubtableUnicodesCache* cache =
+ (SubtableUnicodesCache*) hb_malloc (sizeof(SubtableUnicodesCache));
++
++ if (unlikely (!cache))
++ return nullptr;
++
+ new (cache) SubtableUnicodesCache (source_table);
+ return cache;
+ }
+--
+2.47.3
+
diff -Nru harfbuzz-10.2.0/debian/patches/series
harfbuzz-10.2.0/debian/patches/series
--- harfbuzz-10.2.0/debian/patches/series 2025-01-14 23:20:38.000000000
+0200
+++ harfbuzz-10.2.0/debian/patches/series 2026-05-07 11:40:26.000000000
+0300
@@ -0,0 +1 @@
+0001-cmap-malloc-fail-test-5710.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.5
This update has been released as part of Debian 13.5.
--- End Message ---
