From edee4f681707b139b3bc2133d0cb2cb7ad166079 Mon Sep 17 00:00:00 2001 From: Akira TAGOH Date: Wed, 11 Dec 2019 13:51:20 +0900 Subject: [PATCH] Fix CVE-2019-18397 Resolves: rhbz#1781218 --- fribidi-CVE-2019-18397.patch | 27 +++++++++++++++++++++++++++ fribidi.spec | 7 ++++++- 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 fribidi-CVE-2019-18397.patch diff --git a/fribidi-CVE-2019-18397.patch b/fribidi-CVE-2019-18397.patch new file mode 100644 index 0000000..a734a87 --- /dev/null +++ b/fribidi-CVE-2019-18397.patch @@ -0,0 +1,27 @@ +From 034c6e9a1d296286305f4cfd1e0072b879f52568 Mon Sep 17 00:00:00 2001 +From: Dov Grobgeld +Date: Thu, 24 Oct 2019 09:37:29 +0300 +Subject: [PATCH] Truncate isolate_level to FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL + +--- + lib/fribidi-bidi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/fribidi-bidi.c b/lib/fribidi-bidi.c +index 6c84392..d384878 100644 +--- a/lib/fribidi-bidi.c ++++ b/lib/fribidi-bidi.c +@@ -747,7 +747,9 @@ fribidi_get_par_embedding_levels_ex ( + } + + RL_LEVEL (pp) = level; +- RL_ISOLATE_LEVEL (pp) = isolate_level++; ++ RL_ISOLATE_LEVEL (pp) = isolate_level; ++ if (isolate_level < FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL-1) ++ isolate_level++; + base_level_per_iso_level[isolate_level] = new_level; + + if (!FRIBIDI_IS_NEUTRAL (override)) +-- +2.23.0 + diff --git a/fribidi.spec b/fribidi.spec index 56b30d8..ddf2ad7 100644 --- a/fribidi.spec +++ b/fribidi.spec @@ -1,7 +1,7 @@ Summary: Library implementing the Unicode Bidirectional Algorithm Name: fribidi Version: 1.0.7 -Release: 1%{?dist} +Release: 2%{?dist} URL: https://github.com/fribidi/fribidi/ Source: https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2 License: LGPLv2+ and UCD @@ -13,6 +13,7 @@ BuildRequires: meson %endif Patch0: %{name}-drop-bundled-gnulib.patch Patch1: %{name}-automake.patch +Patch2: %{name}-CVE-2019-18397.patch %description A library to handle bidirectional scripts (for example Hebrew, Arabic), @@ -84,6 +85,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la #%%{_mandir}/man3/*.gz %changelog +* Wed Dec 11 2019 Akira TAGOH - 1.0.7-2 +- Fix CVE-2019-18397 + Resolves: rhbz#1781218 + * Mon Sep 30 2019 Akira TAGOH - 1.0.7-1 - New upstream release. Resolves: rhbz#1756434