[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1009250: marked as done (bullseye-pu: fribidi/1.0.8-2+deb11u1)

Your message dated Sat, 09 Jul 2022 11:47:43 +0100
with message-id <2280fe8c78e64b02a6c1d04c6dde5a32e342ba81.camel@adam-barratt.org.uk>
and subject line Closing requests for updates included in 11.4
has caused the Debian Bug report #1009250,
regarding bullseye-pu: fribidi/1.0.8-2+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1009250: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009250
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu


The attached debdiff for fribidi fixes CVE-2022-25308, CVE-2022-25309 and
CVE-2022-25310 in Bullseye. These CVEs have been marked as no-dsa by the
security team.

The same fixes have been already uploaded to Unstable.

  Thorsten

diff -Nru fribidi-1.0.8/debian/changelog fribidi-1.0.8/debian/changelog
--- fribidi-1.0.8/debian/changelog	2019-12-21 03:11:40.000000000 +0100
+++ fribidi-1.0.8/debian/changelog	2022-04-05 22:03:02.000000000 +0200
@@ -1,3 +1,16 @@
+fribidi (1.0.8-2+deb11u1) bullseye; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2022-25308
+    stack-buffer-overflow issue in main()
+  * CVE-2022-25309
+    heap-buffer-overflow issue in fribidi_cap_rtl_to_unicode()
+  * CVE-2022-25310
+    SEGV issue in fribidi_remove_bidi_marks()
+    (Closes: #1008793)
+
+ -- Thorsten Alteholz <debian@alteholz.de>  Tue, 05 Apr 2022 22:03:02 +0200
+
 fribidi (1.0.8-2) unstable; urgency=medium
 
   * Add  revert_log2vis_get_embedding_levels.diff patch to revert back 
diff -Nru fribidi-1.0.8/debian/patches/CVE-2022-25308.patch fribidi-1.0.8/debian/patches/CVE-2022-25308.patch
--- fribidi-1.0.8/debian/patches/CVE-2022-25308.patch	1970-01-01 01:00:00.000000000 +0100
+++ fribidi-1.0.8/debian/patches/CVE-2022-25308.patch	2022-03-31 10:31:22.000000000 +0200
@@ -0,0 +1,43 @@
+commit ad3a19e6372b1e667128ed1ea2f49919884587e1
+Author: Akira TAGOH <akira@tagoh.org>
+Date:   Thu Feb 17 17:30:12 2022 +0900
+
+    Fix the stack buffer overflow issue
+    
+    strlen() could returns 0. Without a conditional check for len,
+    accessing S_ pointer with len - 1 may causes a stack buffer overflow.
+    
+    AddressSanitizer reports this like:
+    ==1219243==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdce043c1f at pc 0x000000403547 bp 0x7ffdce0
+    43b30 sp 0x7ffdce043b28
+    READ of size 1 at 0x7ffdce043c1f thread T0
+        #0 0x403546 in main ../bin/fribidi-main.c:393
+        #1 0x7f226804e58f in __libc_start_call_main (/lib64/libc.so.6+0x2d58f)
+        #2 0x7f226804e648 in __libc_start_main_impl (/lib64/libc.so.6+0x2d648)
+        #3 0x4036f4 in _start (/tmp/fribidi/build/bin/fribidi+0x4036f4)
+    
+    Address 0x7ffdce043c1f is located in stack of thread T0 at offset 63 in frame
+        #0 0x4022bf in main ../bin/fribidi-main.c:193
+    
+      This frame has 5 object(s):
+        [32, 36) 'option_index' (line 233)
+        [48, 52) 'base' (line 386)
+        [64, 65064) 'S_' (line 375) <== Memory access at offset 63 underflows this variable
+        [65328, 130328) 'outstring' (line 385)
+        [130592, 390592) 'logical' (line 384)
+    
+    This fixes https://github.com/fribidi/fribidi/issues/181
+
+diff --git a/bin/fribidi-main.c b/bin/fribidi-main.c
+index 3cf9fe1..3ae4fb6 100644
+--- a/bin/fribidi-main.c
++++ b/bin/fribidi-main.c
+@@ -390,7 +390,7 @@ FRIBIDI_END_IGNORE_DEPRECATIONS
+ 	    S_[sizeof (S_) - 1] = 0;
+ 	    len = strlen (S_);
+ 	    /* chop */
+-	    if (S_[len - 1] == '\n')
++	    if (len > 0 && S_[len - 1] == '\n')
+ 	      {
+ 		len--;
+ 		S_[len] = '\0';
diff -Nru fribidi-1.0.8/debian/patches/CVE-2022-25309.patch fribidi-1.0.8/debian/patches/CVE-2022-25309.patch
--- fribidi-1.0.8/debian/patches/CVE-2022-25309.patch	1970-01-01 01:00:00.000000000 +0100
+++ fribidi-1.0.8/debian/patches/CVE-2022-25309.patch	2022-03-31 10:31:22.000000000 +0200
@@ -0,0 +1,24 @@
+commit f22593b82b5d1668d1997dbccd10a9c31ffea3b3
+Author: Dov Grobgeld <dov.grobgeld@gmail.com>
+Date:   Fri Mar 25 09:09:49 2022 +0300
+
+    Protected against garbage in the CapRTL encoder
+
+diff --git a/lib/fribidi-char-sets-cap-rtl.c b/lib/fribidi-char-sets-cap-rtl.c
+index b0c0e4a..f74e010 100644
+--- a/lib/fribidi-char-sets-cap-rtl.c
++++ b/lib/fribidi-char-sets-cap-rtl.c
+@@ -232,7 +232,12 @@ fribidi_cap_rtl_to_unicode (
+ 	    }
+ 	}
+       else
+-	us[j++] = caprtl_to_unicode[(int) s[i]];
++      {
++        if ((int)s[i] < 0)
++          us[j++] = '?';
++        else
++          us[j++] = caprtl_to_unicode[(int) s[i]];
++      }
+     }
+ 
+   return j;
diff -Nru fribidi-1.0.8/debian/patches/CVE-2022-25310.patch fribidi-1.0.8/debian/patches/CVE-2022-25310.patch
--- fribidi-1.0.8/debian/patches/CVE-2022-25310.patch	1970-01-01 01:00:00.000000000 +0100
+++ fribidi-1.0.8/debian/patches/CVE-2022-25310.patch	2022-03-31 10:31:22.000000000 +0200
@@ -0,0 +1,23 @@
+commit 175850b03e1af251d705c1d04b2b9b3c1c06e48f
+Author: Akira TAGOH <akira@tagoh.org>
+Date:   Thu Feb 17 19:06:10 2022 +0900
+
+    Fix SEGV issue in fribidi_remove_bidi_marks
+    
+    Escape from fribidi_remove_bidi_marks() immediately if str is null.
+    
+    This fixes https://github.com/fribidi/fribidi/issues/183
+
+diff --git a/lib/fribidi.c b/lib/fribidi.c
+index f5da0da..70bdab2 100644
+--- a/lib/fribidi.c
++++ b/lib/fribidi.c
+@@ -74,7 +74,7 @@ fribidi_remove_bidi_marks (
+   fribidi_boolean status = false;
+ 
+   if UNLIKELY
+-    (len == 0)
++    (len == 0 || str == NULL)
+     {
+       status = true;
+       goto out;
diff -Nru fribidi-1.0.8/debian/patches/series fribidi-1.0.8/debian/patches/series
--- fribidi-1.0.8/debian/patches/series	2019-12-21 03:11:40.000000000 +0100
+++ fribidi-1.0.8/debian/patches/series	2022-03-31 10:31:35.000000000 +0200
@@ -1,2 +1,7 @@
 revert_log2vis_get_embedding_levels.diff
 manpages.diff
+
+CVE-2022-25308.patch
+CVE-2022-25309.patch
+CVE-2022-25310.patch
+

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.4

(re-sending with fixed bug numbers)

Hi,

The updates discussed in these bugs were included in today's bullseye
point release.

Regards,

Adam

--- End Message ---
Reply to: