From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@buildroot.org
Subject: [Buildroot] [git commit branch/2022.02.x] package/libfribidi: security bump to version 1.0.12
Date: Tue, 8 Nov 2022 14:04:20 +0100 [thread overview]
Message-ID: <20221108192719.B096588228@busybox.osuosl.org> (raw)
commit: https://git.buildroot.net/buildroot/commit/?id=1529c26f60c9edc45447a6852daac26c17736c25
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2022.02.x
Fixes the following security issues:
- CVE-2022-25308: A stack-based buffer overflow flaw was found in the
Fribidi package. This flaw allows an attacker to pass a specially crafted
file to the Fribidi application, which leads to a possible memory leak or
a denial of service.
- CVE-2022-25309: A heap-based buffer overflow flaw was found in the Fribidi
package and affects the fribidi_cap_rtl_to_unicode() function of the
fribidi-char-sets-cap-rtl.c file. This flaw allows an attacker to pass a
specially crafted file to the Fribidi application with the '--caprtl'
option, leading to a crash and causing a denial of service
- CVE-2022-25310: A segmentation fault (SEGV) flaw was found in the Fribidi
package and affects the fribidi_remove_bidi_marks() function of the
lib/fribidi.c file. This flaw allows an attacker to pass a specially
crafted file to Fribidi, leading to a crash and causing a denial of
service.
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 0f42b67077a8f620f66c654c92518cf53efb9a92)
[Peter: mark as security bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/libfribidi/libfribidi.hash | 2 +-
package/libfribidi/libfribidi.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/libfribidi/libfribidi.hash b/package/libfribidi/libfribidi.hash
index da25b2d24d..7e5df98112 100644
--- a/package/libfribidi/libfribidi.hash
+++ b/package/libfribidi/libfribidi.hash
@@ -1,3 +1,3 @@
# Locally computed
-sha256 30f93e9c63ee627d1a2cedcf59ac34d45bf30240982f99e44c6e015466b4e73d fribidi-1.0.11.tar.xz
+sha256 0cd233f97fc8c67bb3ac27ce8440def5d3ffacf516765b91c2cc654498293495 fribidi-1.0.12.tar.xz
sha256 32434afcc8666ba060e111d715bfdb6c2d5dd8a35fa4d3ab8ad67d8f850d2f2b COPYING
diff --git a/package/libfribidi/libfribidi.mk b/package/libfribidi/libfribidi.mk
index adbd786db1..ec86f468a4 100644
--- a/package/libfribidi/libfribidi.mk
+++ b/package/libfribidi/libfribidi.mk
@@ -4,7 +4,7 @@
#
################################################################################
-LIBFRIBIDI_VERSION = 1.0.11
+LIBFRIBIDI_VERSION = 1.0.12
LIBFRIBIDI_SOURCE = fribidi-$(LIBFRIBIDI_VERSION).tar.xz
LIBFRIBIDI_SITE = https://github.com/fribidi/fribidi/releases/download/v$(LIBFRIBIDI_VERSION)
LIBFRIBIDI_LICENSE = LGPL-2.1+
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
reply other threads:[~2022-11-08 19:27 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221108192719.B096588228@busybox.osuosl.org \
--to=peter@korsgaard.com \
--cc=buildroot@buildroot.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.