diff --git a/SOURCES/fribidi-CVE-2022-25308.patch b/SOURCES/fribidi-CVE-2022-25308.patch new file mode 100644 index 0000000..ad9e353 --- /dev/null +++ b/SOURCES/fribidi-CVE-2022-25308.patch @@ -0,0 +1,48 @@ +From ad3a19e6372b1e667128ed1ea2f49919884587e1 Mon Sep 17 00:00:00 2001 +From: Akira TAGOH +Date: Thu, 17 Feb 2022 17:30:12 +0900 +Subject: [PATCH 1/4] Fix the stack buffer overflow issue + +strlen() could returns 0. Without a conditional check for len, +accessing S_ pointer with len - 1 may causes a stack buffer overflow. + +AddressSanitizer reports this like: +==1219243==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdce043c1f at pc 0x000000403547 bp 0x7ffdce0 +43b30 sp 0x7ffdce043b28 +READ of size 1 at 0x7ffdce043c1f thread T0 + #0 0x403546 in main ../bin/fribidi-main.c:393 + #1 0x7f226804e58f in __libc_start_call_main (/lib64/libc.so.6+0x2d58f) + #2 0x7f226804e648 in __libc_start_main_impl (/lib64/libc.so.6+0x2d648) + #3 0x4036f4 in _start (/tmp/fribidi/build/bin/fribidi+0x4036f4) + +Address 0x7ffdce043c1f is located in stack of thread T0 at offset 63 in frame + #0 0x4022bf in main ../bin/fribidi-main.c:193 + + This frame has 5 object(s): + [32, 36) 'option_index' (line 233) + [48, 52) 'base' (line 386) + [64, 65064) 'S_' (line 375) <== Memory access at offset 63 underflows this variable + [65328, 130328) 'outstring' (line 385) + [130592, 390592) 'logical' (line 384) + +This fixes https://github.com/fribidi/fribidi/issues/181 +--- + bin/fribidi-main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bin/fribidi-main.c b/bin/fribidi-main.c +index 3cf9fe1..3ae4fb6 100644 +--- a/bin/fribidi-main.c ++++ b/bin/fribidi-main.c +@@ -390,7 +390,7 @@ FRIBIDI_END_IGNORE_DEPRECATIONS + S_[sizeof (S_) - 1] = 0; + len = strlen (S_); + /* chop */ +- if (S_[len - 1] == '\n') ++ if (len > 0 && S_[len - 1] == '\n') + { + len--; + S_[len] = '\0'; +-- +2.35.1 + diff --git a/SOURCES/fribidi-CVE-2022-25309.patch b/SOURCES/fribidi-CVE-2022-25309.patch new file mode 100644 index 0000000..9c3cc21 --- /dev/null +++ b/SOURCES/fribidi-CVE-2022-25309.patch @@ -0,0 +1,30 @@ +From f22593b82b5d1668d1997dbccd10a9c31ffea3b3 Mon Sep 17 00:00:00 2001 +From: Dov Grobgeld +Date: Fri, 25 Mar 2022 09:09:49 +0300 +Subject: [PATCH 2/4] Protected against garbage in the CapRTL encoder + +--- + lib/fribidi-char-sets-cap-rtl.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/fribidi-char-sets-cap-rtl.c b/lib/fribidi-char-sets-cap-rtl.c +index b0c0e4a..f74e010 100644 +--- a/lib/fribidi-char-sets-cap-rtl.c ++++ b/lib/fribidi-char-sets-cap-rtl.c +@@ -232,7 +232,12 @@ fribidi_cap_rtl_to_unicode ( + } + } + else +- us[j++] = caprtl_to_unicode[(int) s[i]]; ++ { ++ if ((int)s[i] < 0) ++ us[j++] = '?'; ++ else ++ us[j++] = caprtl_to_unicode[(int) s[i]]; ++ } + } + + return j; +-- +2.35.1 + diff --git a/SOURCES/fribidi-CVE-2022-25310.patch b/SOURCES/fribidi-CVE-2022-25310.patch new file mode 100644 index 0000000..9a03cb4 --- /dev/null +++ b/SOURCES/fribidi-CVE-2022-25310.patch @@ -0,0 +1,12 @@ +diff -pruN fribidi-1.0.4/lib/fribidi-deprecated.c fribidi-1.0.4.orig/lib/fribidi-deprecated.c +--- fribidi-1.0.4.orig/lib/fribidi-deprecated.c 2022-04-14 17:00:47.432555374 +0900 ++++ fribidi-1.0.4/lib/fribidi-deprecated.c 2018-03-01 16:37:02.000000000 +0900 +@@ -121,7 +121,7 @@ fribidi_remove_bidi_marks ( + fribidi_boolean status = false; + + if UNLIKELY +- (len == 0) ++ (len == 0 || str == NULL) + { + status = true; + goto out; diff --git a/SPECS/fribidi.spec b/SPECS/fribidi.spec index 2774f8b..a1da021 100644 --- a/SPECS/fribidi.spec +++ b/SPECS/fribidi.spec @@ -1,14 +1,17 @@ Summary: Library implementing the Unicode Bidirectional Algorithm Name: fribidi Version: 1.0.4 -Release: 8%{?dist} +Release: 9%{?dist} URL: https://github.com/fribidi/fribidi/ Source: https://github.com//%{name}/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2 License: LGPLv2+ and UCD -BuildRequires: gcc +BuildRequires: gcc make BuildRequires: automake autoconf libtool Patch0: %{name}-drop-bundled-gnulib.patch Patch1: %{name}-CVE-2019-18397.patch +Patch2: %{name}-CVE-2022-25308.patch +Patch3: %{name}-CVE-2022-25309.patch +Patch4: %{name}-CVE-2022-25310.patch %description A library to handle bidirectional scripts (for example Hebrew, Arabic), @@ -40,7 +43,7 @@ export CFLAGS="$CFLAGS -DPAGE_SIZE=4096" export CFLAGS="$RPM_OPT_FLAGS -DPAGE_SIZE=4096" %endif %endif -%configure --disable-static --disable-docs +%configure --disable-static make %{?_smp_mflags} %check @@ -65,11 +68,15 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la %{_mandir}/man3/*.gz %changelog +* Thu Apr 14 2022 Akira TAGOH - 1.0.4-9 +- Fix security issues CVE-2022-25308, CVE-2022-25309, CVE-2022-25310. + Resolves: rhbz#2050085, rhbz#2050068, rhbz#2050062 +- Drop --disable-docs from %%configure. no such options available. + * Tue Dec 17 2019 Tomas Pelka - 1.0.4-8 - bump version and rebuild to avoid version conflict with 8.1.0.z Resolves: rhbz#1781227 - * Fri Dec 13 2019 Akira TAGOH - 1.0.4-7 - Security fix for CVE-2019-18397 Resolves: rhbz#1781227