[BUG] HarfBuzz CVE-2023-25193 when referencing SkiaSharp.NativeAssets.Linux.NoDependencies

[wss-jtreher]

Description

I believe HarfBuzzSharp has a dependency on HarfBuzz looking at some of HarfBuzzApi P/Invoking. We were going to use SkiaSharp on one of our projects, but the OWASP Dependency Checker complained about https://nvd.nist.gov/vuln/detail/CVE-2023-25193.

Code

In your csproj file include: <PackageReference Include="SkiaSharp.NativeAssets.Linux.NoDependencies" Version="2.88.3" />

Expected Behavior

Dependency Check doesn't fail due to CVE.

Actual Behavior

No response

Version of SkiaSharp

2.88.3 (Current)

Last Known Good Version of SkiaSharp

2.88.2 (Previous)

IDE / Editor

Visual Studio (Windows)

Platform / Operating System

Linux

Platform / Operating System Version

No response

Devices

No response

Relevant Screenshots

No response

Relevant Log Output

<testsuite failures="1" errors="0" time="0" id="17"
    name="/source/Something.PdfGenerator/Something.PdfGenerator.csproj"
    package="HarfBuzzSharp.NativeAssets.Linux:2.8.2.3" skipped="0" tests="1"
    timestamp="2023-08-21T11:07:37.227094519">
    <testcase classname="CVE-2023-25193" name="pkg:nuget/HarfBuzzSharp.NativeAssets.Linux@2.8.2.3">
      <failure message="cvssV3: HIGH, score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)" />
      <system-out>hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger
        O(n^2) growth via consecutive marks during the process of looking back for base glyphs when
        attaching marks.</system-out>
      <system-err>location: /source/Something.PdfGenerator/Something.PdfGenerator.csproj,
        project-references: [ ]</system-err>
    </testcase>
  </testsuite>

Code of Conduct

• I agree to follow this project's Code of Conduct