An out-of-bounds write in hb_bit_set_invertible_t::set (called from hb_sparseset_t<hb_bit_set_invertible_t>::set and hb_set_copy).
Created harfbuzz tracking bugs for this issue:
Affects: fedora-all [bug 2036821]
Created mingw-harfbuzz tracking bugs for this issue:
Affects: fedora-all [bug 2036822]
I believe this is https://github.com/harfbuzz/harfbuzz/pull/3162, which is fixed in harfbuzz 2.9.1+
Well, I can rebase harfbuzz to 2.9.1 version in F35 not 3.0.0+ versions. The 3.0.0 version created issues in Fedora and some packages need to be fixed manually.
But where is simple reproducer that I can use and then test if above PR is really a fix?
Yesterday I spend good amount of time on this CVE issue and concluded that those Feodra/RHEL releases which have only harfbuzz-2.9.0 build are affected. So actually No Fedora release is affected by this CVE.
The code got introduced and fixed between 2.9.0 to 2.9.1 upstream release.
So this CVE is actually NOTABUG.