4 changed files with 101 additions and 4 deletions
--- a/SOURCES/fribidi-CVE-2022-25308.patch
+++ b/SOURCES/fribidi-CVE-2022-25308.patch
@ -0,0 +1,48 @@
+From ad3a19e6372b1e667128ed1ea2f49919884587e1 Mon Sep 17 00:00:00 2001
+From: Akira TAGOH <akira@tagoh.org>
+Date: Thu, 17 Feb 2022 17:30:12 +0900
+Subject: [PATCH 1/4] Fix the stack buffer overflow issue
+
+strlen() could returns 0. Without a conditional check for len,
+accessing S_ pointer with len - 1 may causes a stack buffer overflow.
+
+AddressSanitizer reports this like:
+==1219243==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdce043c1f at pc 0x000000403547 bp 0x7ffdce0
+43b30 sp 0x7ffdce043b28
+READ of size 1 at 0x7ffdce043c1f thread T0
+    #0 0x403546 in main ../bin/fribidi-main.c:393
+    #1 0x7f226804e58f in __libc_start_call_main (/lib64/libc.so.6+0x2d58f)
+    #2 0x7f226804e648 in __libc_start_main_impl (/lib64/libc.so.6+0x2d648)
+    #3 0x4036f4 in _start (/tmp/fribidi/build/bin/fribidi+0x4036f4)
+
+Address 0x7ffdce043c1f is located in stack of thread T0 at offset 63 in frame
+    #0 0x4022bf in main ../bin/fribidi-main.c:193
+
+  This frame has 5 object(s):
+    [32, 36) 'option_index' (line 233)
+    [48, 52) 'base' (line 386)
+    [64, 65064) 'S_' (line 375) <== Memory access at offset 63 underflows this variable
+    [65328, 130328) 'outstring' (line 385)
+    [130592, 390592) 'logical' (line 384)
+
+This fixes https://github.com/fribidi/fribidi/issues/181
+---
+ bin/fribidi-main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bin/fribidi-main.c b/bin/fribidi-main.c
+index 3cf9fe1..3ae4fb6 100644
+--- a/bin/fribidi-main.c
+++ b/bin/fribidi-main.c
+@@ -390,7 +390,7 @@ FRIBIDI_END_IGNORE_DEPRECATIONS
+ 	    S_[sizeof (S_) - 1] = 0;
+ 	    len = strlen (S_);
+ 	    /* chop */
+-	    if (S_[len - 1] == '\n')
+	    if (len > 0 && S_[len - 1] == '\n')
+ 	      {
+ 		len--;
+ 		S_[len] = '\0';
+-- 
+2.35.1
+
--- a/SOURCES/fribidi-CVE-2022-25309.patch
+++ b/SOURCES/fribidi-CVE-2022-25309.patch
@ -0,0 +1,30 @@
+From f22593b82b5d1668d1997dbccd10a9c31ffea3b3 Mon Sep 17 00:00:00 2001
+From: Dov Grobgeld <dov.grobgeld@gmail.com>
+Date: Fri, 25 Mar 2022 09:09:49 +0300
+Subject: [PATCH 2/4] Protected against garbage in the CapRTL encoder
+
+---
+ lib/fribidi-char-sets-cap-rtl.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/lib/fribidi-char-sets-cap-rtl.c b/lib/fribidi-char-sets-cap-rtl.c
+index b0c0e4a..f74e010 100644
+--- a/lib/fribidi-char-sets-cap-rtl.c
+++ b/lib/fribidi-char-sets-cap-rtl.c
+@@ -232,7 +232,12 @@ fribidi_cap_rtl_to_unicode (
+ 	    }
+ 	}
+       else
+-	us[j++] = caprtl_to_unicode[(int) s[i]];
+      {
+        if ((int)s[i] < 0)
+          us[j++] = '?';
+        else
+          us[j++] = caprtl_to_unicode[(int) s[i]];
+      }
+     }
+ 
+   return j;
+-- 
+2.35.1
+
--- a/SOURCES/fribidi-CVE-2022-25310.patch
+++ b/SOURCES/fribidi-CVE-2022-25310.patch
@ -0,0 +1,12 @@
+diff -pruN fribidi-1.0.4/lib/fribidi-deprecated.c fribidi-1.0.4.orig/lib/fribidi-deprecated.c
+--- fribidi-1.0.4.orig/lib/fribidi-deprecated.c	2022-04-14 17:00:47.432555374 +0900
+++ fribidi-1.0.4/lib/fribidi-deprecated.c	2018-03-01 16:37:02.000000000 +0900
+@@ -121,7 +121,7 @@ fribidi_remove_bidi_marks (
+   fribidi_boolean status = false;
+ 
+   if UNLIKELY
+-    (len == 0)
+    (len == 0 || str == NULL)
+     {
+       status = true;
+       goto out;
--- a/SPECS/fribidi.spec
+++ b/SPECS/fribidi.spec
@ -1,14 +1,17 @@
 Summary: Library implementing the Unicode Bidirectional Algorithm
 Name: fribidi
 Version: 1.0.4
-Release: 8%{?dist}
+Release: 9%{?dist}
 URL: https://github.com/fribidi/fribidi/
 Source: https://github.com//%{name}/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2
 License: LGPLv2+ and UCD
-BuildRequires: gcc
+BuildRequires: gcc make
 BuildRequires: automake autoconf libtool
 Patch0: %{name}-drop-bundled-gnulib.patch
 Patch1: %{name}-CVE-2019-18397.patch
+Patch2: %{name}-CVE-2022-25308.patch
+Patch3: %{name}-CVE-2022-25309.patch
+Patch4: %{name}-CVE-2022-25310.patch

 %description
 A library to handle bidirectional scripts (for example Hebrew, Arabic),
@ -40,7 +43,7 @@ export CFLAGS="$CFLAGS -DPAGE_SIZE=4096"
 export CFLAGS="$RPM_OPT_FLAGS -DPAGE_SIZE=4096"
 %endif
 %endif
-%configure --disable-static --disable-docs
+%configure --disable-static
 make %{?_smp_mflags}

 %check
@ -65,11 +68,15 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
 %{_mandir}/man3/*.gz

 %changelog
+* Thu Apr 14 2022 Akira TAGOH <tagoh@redhat.com> - 1.0.4-9
+- Fix security issues CVE-2022-25308, CVE-2022-25309, CVE-2022-25310.
+  Resolves: rhbz#2050085, rhbz#2050068, rhbz#2050062
+- Drop --disable-docs from %%configure. no such options available.
+
 * Tue Dec 17 2019 Tomas Pelka <tpelka@redhat.com> - 1.0.4-8
 - bump version and rebuild to avoid version conflict with 8.1.0.z
  Resolves: rhbz#1781227

-
 * Fri Dec 13 2019 Akira TAGOH <tagoh@redhat.com> - 1.0.4-7
 - Security fix for CVE-2019-18397
  Resolves: rhbz#1781227