Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
The attached debdiff for fribidi fixes CVE-2022-25308, CVE-2022-25309 and CVE-2022-25310 in Buster. These CVEs have been marked as no-dsa by the security team. The same fixes have been already uploaded to Unstable. Thorsten
diff -Nru fribidi-1.0.5/debian/changelog fribidi-1.0.5/debian/changelog --- fribidi-1.0.5/debian/changelog 2019-11-06 07:48:41.000000000 +0100 +++ fribidi-1.0.5/debian/changelog 2022-04-05 22:03:02.000000000 +0200 @@ -1,3 +1,16 @@ +fribidi (1.0.5-3.1+deb10u2) buster; urgency=high + + * Non-maintainer upload by the LTS Team. + * CVE-2022-25308 + stack-buffer-overflow issue in main() + * CVE-2022-25309 + heap-buffer-overflow issue in fribidi_cap_rtl_to_unicode() + * CVE-2022-25310 + SEGV issue in fribidi_remove_bidi_marks() + (Closes: #1008793) + + -- Thorsten Alteholz <deb...@alteholz.de> Tue, 05 Apr 2022 22:03:02 +0200 + fribidi (1.0.5-3.1+deb10u1) buster-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru fribidi-1.0.5/debian/patches/CVE-2022-25308.patch fribidi-1.0.5/debian/patches/CVE-2022-25308.patch --- fribidi-1.0.5/debian/patches/CVE-2022-25308.patch 1970-01-01 01:00:00.000000000 +0100 +++ fribidi-1.0.5/debian/patches/CVE-2022-25308.patch 2022-03-31 10:33:34.000000000 +0200 @@ -0,0 +1,43 @@ +commit ad3a19e6372b1e667128ed1ea2f49919884587e1 +Author: Akira TAGOH <ak...@tagoh.org> +Date: Thu Feb 17 17:30:12 2022 +0900 + + Fix the stack buffer overflow issue + + strlen() could returns 0. Without a conditional check for len, + accessing S_ pointer with len - 1 may causes a stack buffer overflow. + + AddressSanitizer reports this like: + ==1219243==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdce043c1f at pc 0x000000403547 bp 0x7ffdce0 + 43b30 sp 0x7ffdce043b28 + READ of size 1 at 0x7ffdce043c1f thread T0 + #0 0x403546 in main ../bin/fribidi-main.c:393 + #1 0x7f226804e58f in __libc_start_call_main (/lib64/libc.so.6+0x2d58f) + #2 0x7f226804e648 in __libc_start_main_impl (/lib64/libc.so.6+0x2d648) + #3 0x4036f4 in _start (/tmp/fribidi/build/bin/fribidi+0x4036f4) + + Address 0x7ffdce043c1f is located in stack of thread T0 at offset 63 in frame + #0 0x4022bf in main ../bin/fribidi-main.c:193 + + This frame has 5 object(s): + [32, 36) 'option_index' (line 233) + [48, 52) 'base' (line 386) + [64, 65064) 'S_' (line 375) <== Memory access at offset 63 underflows this variable + [65328, 130328) 'outstring' (line 385) + [130592, 390592) 'logical' (line 384) + + This fixes https://github.com/fribidi/fribidi/issues/181 + +diff --git a/bin/fribidi-main.c b/bin/fribidi-main.c +index 3cf9fe1..3ae4fb6 100644 +--- a/bin/fribidi-main.c ++++ b/bin/fribidi-main.c +@@ -390,7 +390,7 @@ FRIBIDI_END_IGNORE_DEPRECATIONS + S_[sizeof (S_) - 1] = 0; + len = strlen (S_); + /* chop */ +- if (S_[len - 1] == '\n') ++ if (len > 0 && S_[len - 1] == '\n') + { + len--; + S_[len] = '\0'; diff -Nru fribidi-1.0.5/debian/patches/CVE-2022-25309.patch fribidi-1.0.5/debian/patches/CVE-2022-25309.patch --- fribidi-1.0.5/debian/patches/CVE-2022-25309.patch 1970-01-01 01:00:00.000000000 +0100 +++ fribidi-1.0.5/debian/patches/CVE-2022-25309.patch 2022-03-31 10:33:34.000000000 +0200 @@ -0,0 +1,24 @@ +commit f22593b82b5d1668d1997dbccd10a9c31ffea3b3 +Author: Dov Grobgeld <dov.grobg...@gmail.com> +Date: Fri Mar 25 09:09:49 2022 +0300 + + Protected against garbage in the CapRTL encoder + +diff --git a/lib/fribidi-char-sets-cap-rtl.c b/lib/fribidi-char-sets-cap-rtl.c +index b0c0e4a..f74e010 100644 +--- a/lib/fribidi-char-sets-cap-rtl.c ++++ b/lib/fribidi-char-sets-cap-rtl.c +@@ -232,7 +232,12 @@ fribidi_cap_rtl_to_unicode ( + } + } + else +- us[j++] = caprtl_to_unicode[(int) s[i]]; ++ { ++ if ((int)s[i] < 0) ++ us[j++] = '?'; ++ else ++ us[j++] = caprtl_to_unicode[(int) s[i]]; ++ } + } + + return j; diff -Nru fribidi-1.0.5/debian/patches/CVE-2022-25310.patch fribidi-1.0.5/debian/patches/CVE-2022-25310.patch --- fribidi-1.0.5/debian/patches/CVE-2022-25310.patch 1970-01-01 01:00:00.000000000 +0100 +++ fribidi-1.0.5/debian/patches/CVE-2022-25310.patch 2022-03-31 10:54:43.000000000 +0200 @@ -0,0 +1,23 @@ +commit 175850b03e1af251d705c1d04b2b9b3c1c06e48f +Author: Akira TAGOH <ak...@tagoh.org> +Date: Thu Feb 17 19:06:10 2022 +0900 + + Fix SEGV issue in fribidi_remove_bidi_marks + + Escape from fribidi_remove_bidi_marks() immediately if str is null. + + This fixes https://github.com/fribidi/fribidi/issues/183 + +Index: fribidi-1.0.5/lib/fribidi-deprecated.c +=================================================================== +--- fribidi-1.0.5.orig/lib/fribidi-deprecated.c 2018-06-30 21:52:40.000000000 +0200 ++++ fribidi-1.0.5/lib/fribidi-deprecated.c 2022-03-31 10:54:41.755094250 +0200 +@@ -121,7 +121,7 @@ + fribidi_boolean status = false; + + if UNLIKELY +- (len == 0) ++ (len == 0 || str == NULL) + { + status = true; + goto out; diff -Nru fribidi-1.0.5/debian/patches/series fribidi-1.0.5/debian/patches/series --- fribidi-1.0.5/debian/patches/series 2019-11-06 07:48:41.000000000 +0100 +++ fribidi-1.0.5/debian/patches/series 2022-03-31 10:33:45.000000000 +0200 @@ -1,3 +1,7 @@ manpages.diff no-config-h.diff Truncate-isolate_level-to-FRIBIDI_BIDI_MAX_EXPLICIT_.diff + +CVE-2022-25308.patch +CVE-2022-25309.patch +CVE-2022-25310.patch
