[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1009250: bullseye-pu: fribidi/1.0.8-2+deb11u1

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu


The attached debdiff for fribidi fixes CVE-2022-25308, CVE-2022-25309 and
CVE-2022-25310 in Bullseye. These CVEs have been marked as no-dsa by the
security team.

The same fixes have been already uploaded to Unstable.

  Thorsten

diff -Nru fribidi-1.0.8/debian/changelog fribidi-1.0.8/debian/changelog
--- fribidi-1.0.8/debian/changelog	2019-12-21 03:11:40.000000000 +0100
+++ fribidi-1.0.8/debian/changelog	2022-04-05 22:03:02.000000000 +0200
@@ -1,3 +1,16 @@
+fribidi (1.0.8-2+deb11u1) bullseye; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2022-25308
+    stack-buffer-overflow issue in main()
+  * CVE-2022-25309
+    heap-buffer-overflow issue in fribidi_cap_rtl_to_unicode()
+  * CVE-2022-25310
+    SEGV issue in fribidi_remove_bidi_marks()
+    (Closes: #1008793)
+
+ -- Thorsten Alteholz <debian@alteholz.de>  Tue, 05 Apr 2022 22:03:02 +0200
+
 fribidi (1.0.8-2) unstable; urgency=medium
 
   * Add  revert_log2vis_get_embedding_levels.diff patch to revert back 
diff -Nru fribidi-1.0.8/debian/patches/CVE-2022-25308.patch fribidi-1.0.8/debian/patches/CVE-2022-25308.patch
--- fribidi-1.0.8/debian/patches/CVE-2022-25308.patch	1970-01-01 01:00:00.000000000 +0100
+++ fribidi-1.0.8/debian/patches/CVE-2022-25308.patch	2022-03-31 10:31:22.000000000 +0200
@@ -0,0 +1,43 @@
+commit ad3a19e6372b1e667128ed1ea2f49919884587e1
+Author: Akira TAGOH <akira@tagoh.org>
+Date:   Thu Feb 17 17:30:12 2022 +0900
+
+    Fix the stack buffer overflow issue
+    
+    strlen() could returns 0. Without a conditional check for len,
+    accessing S_ pointer with len - 1 may causes a stack buffer overflow.
+    
+    AddressSanitizer reports this like:
+    ==1219243==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdce043c1f at pc 0x000000403547 bp 0x7ffdce0
+    43b30 sp 0x7ffdce043b28
+    READ of size 1 at 0x7ffdce043c1f thread T0
+        #0 0x403546 in main ../bin/fribidi-main.c:393
+        #1 0x7f226804e58f in __libc_start_call_main (/lib64/libc.so.6+0x2d58f)
+        #2 0x7f226804e648 in __libc_start_main_impl (/lib64/libc.so.6+0x2d648)
+        #3 0x4036f4 in _start (/tmp/fribidi/build/bin/fribidi+0x4036f4)
+    
+    Address 0x7ffdce043c1f is located in stack of thread T0 at offset 63 in frame
+        #0 0x4022bf in main ../bin/fribidi-main.c:193
+    
+      This frame has 5 object(s):
+        [32, 36) 'option_index' (line 233)
+        [48, 52) 'base' (line 386)
+        [64, 65064) 'S_' (line 375) <== Memory access at offset 63 underflows this variable
+        [65328, 130328) 'outstring' (line 385)
+        [130592, 390592) 'logical' (line 384)
+    
+    This fixes https://github.com/fribidi/fribidi/issues/181
+
+diff --git a/bin/fribidi-main.c b/bin/fribidi-main.c
+index 3cf9fe1..3ae4fb6 100644
+--- a/bin/fribidi-main.c
++++ b/bin/fribidi-main.c
+@@ -390,7 +390,7 @@ FRIBIDI_END_IGNORE_DEPRECATIONS
+ 	    S_[sizeof (S_) - 1] = 0;
+ 	    len = strlen (S_);
+ 	    /* chop */
+-	    if (S_[len - 1] == '\n')
++	    if (len > 0 && S_[len - 1] == '\n')
+ 	      {
+ 		len--;
+ 		S_[len] = '\0';
diff -Nru fribidi-1.0.8/debian/patches/CVE-2022-25309.patch fribidi-1.0.8/debian/patches/CVE-2022-25309.patch
--- fribidi-1.0.8/debian/patches/CVE-2022-25309.patch	1970-01-01 01:00:00.000000000 +0100
+++ fribidi-1.0.8/debian/patches/CVE-2022-25309.patch	2022-03-31 10:31:22.000000000 +0200
@@ -0,0 +1,24 @@
+commit f22593b82b5d1668d1997dbccd10a9c31ffea3b3
+Author: Dov Grobgeld <dov.grobgeld@gmail.com>
+Date:   Fri Mar 25 09:09:49 2022 +0300
+
+    Protected against garbage in the CapRTL encoder
+
+diff --git a/lib/fribidi-char-sets-cap-rtl.c b/lib/fribidi-char-sets-cap-rtl.c
+index b0c0e4a..f74e010 100644
+--- a/lib/fribidi-char-sets-cap-rtl.c
++++ b/lib/fribidi-char-sets-cap-rtl.c
+@@ -232,7 +232,12 @@ fribidi_cap_rtl_to_unicode (
+ 	    }
+ 	}
+       else
+-	us[j++] = caprtl_to_unicode[(int) s[i]];
++      {
++        if ((int)s[i] < 0)
++          us[j++] = '?';
++        else
++          us[j++] = caprtl_to_unicode[(int) s[i]];
++      }
+     }
+ 
+   return j;
diff -Nru fribidi-1.0.8/debian/patches/CVE-2022-25310.patch fribidi-1.0.8/debian/patches/CVE-2022-25310.patch
--- fribidi-1.0.8/debian/patches/CVE-2022-25310.patch	1970-01-01 01:00:00.000000000 +0100
+++ fribidi-1.0.8/debian/patches/CVE-2022-25310.patch	2022-03-31 10:31:22.000000000 +0200
@@ -0,0 +1,23 @@
+commit 175850b03e1af251d705c1d04b2b9b3c1c06e48f
+Author: Akira TAGOH <akira@tagoh.org>
+Date:   Thu Feb 17 19:06:10 2022 +0900
+
+    Fix SEGV issue in fribidi_remove_bidi_marks
+    
+    Escape from fribidi_remove_bidi_marks() immediately if str is null.
+    
+    This fixes https://github.com/fribidi/fribidi/issues/183
+
+diff --git a/lib/fribidi.c b/lib/fribidi.c
+index f5da0da..70bdab2 100644
+--- a/lib/fribidi.c
++++ b/lib/fribidi.c
+@@ -74,7 +74,7 @@ fribidi_remove_bidi_marks (
+   fribidi_boolean status = false;
+ 
+   if UNLIKELY
+-    (len == 0)
++    (len == 0 || str == NULL)
+     {
+       status = true;
+       goto out;
diff -Nru fribidi-1.0.8/debian/patches/series fribidi-1.0.8/debian/patches/series
--- fribidi-1.0.8/debian/patches/series	2019-12-21 03:11:40.000000000 +0100
+++ fribidi-1.0.8/debian/patches/series	2022-03-31 10:31:35.000000000 +0200
@@ -1,2 +1,7 @@
 revert_log2vis_get_embedding_levels.diff
 manpages.diff
+
+CVE-2022-25308.patch
+CVE-2022-25309.patch
+CVE-2022-25310.patch
+
Reply to: