diff --git a/fribidi-CVE-2019-18397.patch b/fribidi-CVE-2019-18397.patch deleted file mode 100644 index a734a87..0000000 --- a/fribidi-CVE-2019-18397.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 034c6e9a1d296286305f4cfd1e0072b879f52568 Mon Sep 17 00:00:00 2001 -From: Dov Grobgeld -Date: Thu, 24 Oct 2019 09:37:29 +0300 -Subject: [PATCH] Truncate isolate_level to FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL - ---- - lib/fribidi-bidi.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/lib/fribidi-bidi.c b/lib/fribidi-bidi.c -index 6c84392..d384878 100644 ---- a/lib/fribidi-bidi.c -+++ b/lib/fribidi-bidi.c -@@ -747,7 +747,9 @@ fribidi_get_par_embedding_levels_ex ( - } - - RL_LEVEL (pp) = level; -- RL_ISOLATE_LEVEL (pp) = isolate_level++; -+ RL_ISOLATE_LEVEL (pp) = isolate_level; -+ if (isolate_level < FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL-1) -+ isolate_level++; - base_level_per_iso_level[isolate_level] = new_level; - - if (!FRIBIDI_IS_NEUTRAL (override)) --- -2.23.0 - diff --git a/fribidi-CVE-2022-25308.patch b/fribidi-CVE-2022-25308.patch new file mode 100644 index 0000000..dbdbe5a --- /dev/null +++ b/fribidi-CVE-2022-25308.patch @@ -0,0 +1,48 @@ +From ad3a19e6372b1e667128ed1ea2f49919884587e1 Mon Sep 17 00:00:00 2001 +From: Akira TAGOH +Date: Thu, 17 Feb 2022 17:30:12 +0900 +Subject: [PATCH 1/3] Fix the stack buffer overflow issue + +strlen() could returns 0. Without a conditional check for len, +accessing S_ pointer with len - 1 may causes a stack buffer overflow. + +AddressSanitizer reports this like: +==1219243==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdce043c1f at pc 0x000000403547 bp 0x7ffdce0 +43b30 sp 0x7ffdce043b28 +READ of size 1 at 0x7ffdce043c1f thread T0 + #0 0x403546 in main ../bin/fribidi-main.c:393 + #1 0x7f226804e58f in __libc_start_call_main (/lib64/libc.so.6+0x2d58f) + #2 0x7f226804e648 in __libc_start_main_impl (/lib64/libc.so.6+0x2d648) + #3 0x4036f4 in _start (/tmp/fribidi/build/bin/fribidi+0x4036f4) + +Address 0x7ffdce043c1f is located in stack of thread T0 at offset 63 in frame + #0 0x4022bf in main ../bin/fribidi-main.c:193 + + This frame has 5 object(s): + [32, 36) 'option_index' (line 233) + [48, 52) 'base' (line 386) + [64, 65064) 'S_' (line 375) <== Memory access at offset 63 underflows this variable + [65328, 130328) 'outstring' (line 385) + [130592, 390592) 'logical' (line 384) + +This fixes https://github.com/fribidi/fribidi/issues/181 +--- + bin/fribidi-main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bin/fribidi-main.c b/bin/fribidi-main.c +index 3cf9fe1..3ae4fb6 100644 +--- a/bin/fribidi-main.c ++++ b/bin/fribidi-main.c +@@ -390,7 +390,7 @@ FRIBIDI_END_IGNORE_DEPRECATIONS + S_[sizeof (S_) - 1] = 0; + len = strlen (S_); + /* chop */ +- if (S_[len - 1] == '\n') ++ if (len > 0 && S_[len - 1] == '\n') + { + len--; + S_[len] = '\0'; +-- +2.35.1 + diff --git a/fribidi-CVE-2022-25309.patch b/fribidi-CVE-2022-25309.patch new file mode 100644 index 0000000..454a5ed --- /dev/null +++ b/fribidi-CVE-2022-25309.patch @@ -0,0 +1,30 @@ +From f22593b82b5d1668d1997dbccd10a9c31ffea3b3 Mon Sep 17 00:00:00 2001 +From: Dov Grobgeld +Date: Fri, 25 Mar 2022 09:09:49 +0300 +Subject: [PATCH 2/3] Protected against garbage in the CapRTL encoder + +--- + lib/fribidi-char-sets-cap-rtl.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/fribidi-char-sets-cap-rtl.c b/lib/fribidi-char-sets-cap-rtl.c +index b0c0e4a..f74e010 100644 +--- a/lib/fribidi-char-sets-cap-rtl.c ++++ b/lib/fribidi-char-sets-cap-rtl.c +@@ -232,7 +232,12 @@ fribidi_cap_rtl_to_unicode ( + } + } + else +- us[j++] = caprtl_to_unicode[(int) s[i]]; ++ { ++ if ((int)s[i] < 0) ++ us[j++] = '?'; ++ else ++ us[j++] = caprtl_to_unicode[(int) s[i]]; ++ } + } + + return j; +-- +2.35.1 + diff --git a/fribidi-CVE-2022-25310.patch b/fribidi-CVE-2022-25310.patch new file mode 100644 index 0000000..09fd1c3 --- /dev/null +++ b/fribidi-CVE-2022-25310.patch @@ -0,0 +1,28 @@ +From 175850b03e1af251d705c1d04b2b9b3c1c06e48f Mon Sep 17 00:00:00 2001 +From: Akira TAGOH +Date: Thu, 17 Feb 2022 19:06:10 +0900 +Subject: [PATCH 3/3] Fix SEGV issue in fribidi_remove_bidi_marks + +Escape from fribidi_remove_bidi_marks() immediately if str is null. + +This fixes https://github.com/fribidi/fribidi/issues/183 +--- + lib/fribidi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/fribidi.c b/lib/fribidi.c +index f5da0da..70bdab2 100644 +--- a/lib/fribidi.c ++++ b/lib/fribidi.c +@@ -74,7 +74,7 @@ fribidi_remove_bidi_marks ( + fribidi_boolean status = false; + + if UNLIKELY +- (len == 0) ++ (len == 0 || str == NULL) + { + status = true; + goto out; +-- +2.35.1 + diff --git a/fribidi.spec b/fribidi.spec index 5cc5b8f..3af25a2 100644 --- a/fribidi.spec +++ b/fribidi.spec @@ -1,7 +1,7 @@ Summary: Library implementing the Unicode Bidirectional Algorithm Name: fribidi Version: 1.0.11 -Release: 2%{?dist} +Release: 3%{?dist} URL: https://github.com/fribidi/fribidi/ Source: https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz License: LGPLv2+ and UCD @@ -13,6 +13,9 @@ BuildRequires: meson %endif BuildRequires: make Patch0: fribidi-drop-bundled-gnulib.patch +Patch1: fribidi-CVE-2022-25308.patch +Patch2: fribidi-CVE-2022-25309.patch +Patch3: fribidi-CVE-2022-25310.patch %description A library to handle bidirectional scripts (for example Hebrew, Arabic), @@ -84,6 +87,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la #%%{_mandir}/man3/*.gz %changelog +* Fri Apr 1 2022 Akira TAGOH - 1.0.11-3 +- Fix security issues, CVE-2022-25308, CVE-2022-25309, CVE-2022-25310. + Resolves: rhbz#2067039, rhbz#2067043, rhbz#2067045 + * Thu Jan 20 2022 Fedora Release Engineering - 1.0.11-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild