* [Buildroot] [git commit branch/2022.02.x] package/libfribidi: security bump to version 1.0.12
@ 2022-11-08 13:04 Peter Korsgaard
0 siblings, 0 replies; only message in thread
From: Peter Korsgaard @ 2022-11-08 13:04 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=1529c26f60c9edc45447a6852daac26c17736c25
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2022.02.x
Fixes the following security issues:
- CVE-2022-25308: A stack-based buffer overflow flaw was found in the
Fribidi package. This flaw allows an attacker to pass a specially crafted
file to the Fribidi application, which leads to a possible memory leak or
a denial of service.
- CVE-2022-25309: A heap-based buffer overflow flaw was found in the Fribidi
package and affects the fribidi_cap_rtl_to_unicode() function of the
fribidi-char-sets-cap-rtl.c file. This flaw allows an attacker to pass a
specially crafted file to the Fribidi application with the '--caprtl'
option, leading to a crash and causing a denial of service
- CVE-2022-25310: A segmentation fault (SEGV) flaw was found in the Fribidi
package and affects the fribidi_remove_bidi_marks() function of the
lib/fribidi.c file. This flaw allows an attacker to pass a specially
crafted file to Fribidi, leading to a crash and causing a denial of
service.
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 0f42b67077a8f620f66c654c92518cf53efb9a92)
[Peter: mark as security bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/libfribidi/libfribidi.hash | 2 +-
package/libfribidi/libfribidi.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/libfribidi/libfribidi.hash b/package/libfribidi/libfribidi.hash
index da25b2d24d..7e5df98112 100644
--- a/package/libfribidi/libfribidi.hash
+++ b/package/libfribidi/libfribidi.hash
@@ -1,3 +1,3 @@
# Locally computed
-sha256 30f93e9c63ee627d1a2cedcf59ac34d45bf30240982f99e44c6e015466b4e73d fribidi-1.0.11.tar.xz
+sha256 0cd233f97fc8c67bb3ac27ce8440def5d3ffacf516765b91c2cc654498293495 fribidi-1.0.12.tar.xz
sha256 32434afcc8666ba060e111d715bfdb6c2d5dd8a35fa4d3ab8ad67d8f850d2f2b COPYING
diff --git a/package/libfribidi/libfribidi.mk b/package/libfribidi/libfribidi.mk
index adbd786db1..ec86f468a4 100644
--- a/package/libfribidi/libfribidi.mk
+++ b/package/libfribidi/libfribidi.mk
@@ -4,7 +4,7 @@
#
################################################################################
-LIBFRIBIDI_VERSION = 1.0.11
+LIBFRIBIDI_VERSION = 1.0.12
LIBFRIBIDI_SOURCE = fribidi-$(LIBFRIBIDI_VERSION).tar.xz
LIBFRIBIDI_SITE = https://github.com/fribidi/fribidi/releases/download/v$(LIBFRIBIDI_VERSION)
LIBFRIBIDI_LICENSE = LGPL-2.1+
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2022-11-08 19:27 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-08 13:04 [Buildroot] [git commit branch/2022.02.x] package/libfribidi: security bump to version 1.0.12 Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.