* [Buildroot] [PATCH] package/libfribidi: add upstream security fix
@ 2019-11-08 16:00 Peter Korsgaard
2019-11-08 20:56 ` Thomas Petazzoni
2019-11-09 17:14 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Peter Korsgaard @ 2019-11-08 16:00 UTC (permalink / raw)
To: buildroot
Fixes the following security issue:
- CVE-2019-18397: GNU FriBidi stack buffer overflow >= 1.0.0
For more details, see the advisory:
https://www.openwall.com/lists/oss-security/2019/11/08/5
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
..._level-to-FRIBIDI_BIDI_MAX_EXPLICIT_.patch | 30 +++++++++++++++++++
1 file changed, 30 insertions(+)
create mode 100644 package/libfribidi/0001-Truncate-isolate_level-to-FRIBIDI_BIDI_MAX_EXPLICIT_.patch
diff --git a/package/libfribidi/0001-Truncate-isolate_level-to-FRIBIDI_BIDI_MAX_EXPLICIT_.patch b/package/libfribidi/0001-Truncate-isolate_level-to-FRIBIDI_BIDI_MAX_EXPLICIT_.patch
new file mode 100644
index 0000000000..b78f9b2111
--- /dev/null
+++ b/package/libfribidi/0001-Truncate-isolate_level-to-FRIBIDI_BIDI_MAX_EXPLICIT_.patch
@@ -0,0 +1,30 @@
+From 034c6e9a1d296286305f4cfd1e0072b879f52568 Mon Sep 17 00:00:00 2001
+From: Dov Grobgeld <dov.grobgeld@gmail.com>
+Date: Thu, 24 Oct 2019 09:37:29 +0300
+Subject: [PATCH] Truncate isolate_level to FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL
+
+CVE-2019-18397
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ lib/fribidi-bidi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/fribidi-bidi.c b/lib/fribidi-bidi.c
+index 6c84392..d384878 100644
+--- a/lib/fribidi-bidi.c
++++ b/lib/fribidi-bidi.c
+@@ -747,7 +747,9 @@ fribidi_get_par_embedding_levels_ex (
+ }
+
+ RL_LEVEL (pp) = level;
+- RL_ISOLATE_LEVEL (pp) = isolate_level++;
++ RL_ISOLATE_LEVEL (pp) = isolate_level;
++ if (isolate_level < FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL-1)
++ isolate_level++;
+ base_level_per_iso_level[isolate_level] = new_level;
+
+ if (!FRIBIDI_IS_NEUTRAL (override))
+--
+2.20.1
+
--
2.20.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/libfribidi: add upstream security fix
2019-11-08 16:00 [Buildroot] [PATCH] package/libfribidi: add upstream security fix Peter Korsgaard
@ 2019-11-08 20:56 ` Thomas Petazzoni
2019-11-09 17:14 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Petazzoni @ 2019-11-08 20:56 UTC (permalink / raw)
To: buildroot
On Fri, 8 Nov 2019 17:00:29 +0100
Peter Korsgaard <peter@korsgaard.com> wrote:
> Fixes the following security issue:
>
> - CVE-2019-18397: GNU FriBidi stack buffer overflow >= 1.0.0
>
> For more details, see the advisory:
> https://www.openwall.com/lists/oss-security/2019/11/08/5
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
> ..._level-to-FRIBIDI_BIDI_MAX_EXPLICIT_.patch | 30 +++++++++++++++++++
> 1 file changed, 30 insertions(+)
> create mode 100644 package/libfribidi/0001-Truncate-isolate_level-to-FRIBIDI_BIDI_MAX_EXPLICIT_.patch
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/libfribidi: add upstream security fix
2019-11-08 16:00 [Buildroot] [PATCH] package/libfribidi: add upstream security fix Peter Korsgaard
2019-11-08 20:56 ` Thomas Petazzoni
@ 2019-11-09 17:14 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2019-11-09 17:14 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes the following security issue:
> - CVE-2019-18397: GNU FriBidi stack buffer overflow >= 1.0.0
> For more details, see the advisory:
> https://www.openwall.com/lists/oss-security/2019/11/08/5
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2019.08.x (2019.02.x uses < 1.0.0), thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-11-09 17:14 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-08 16:00 [Buildroot] [PATCH] package/libfribidi: add upstream security fix Peter Korsgaard
2019-11-08 20:56 ` Thomas Petazzoni
2019-11-09 17:14 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.