Bug 1768750 (CVE-2019-18397)
Summary: | CVE-2019-18397 fribidi: buffer overflow in fribidi_get_par_embedding_levels_ex() in lib/fribidi-bidi.c leading to denial of service and possible code execution | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | alexl, caillon+fedoraproject, caolanm, eng-i18n-bugs, gnome-sig, john.j5live, mbarnes, mbenatto, mclasen, michel, rhughes, rstrode, sandmann, security-response-team, tagoh |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A heap-based buffer overflow vulnerability was found in GNU FriBidi, an implementation of the Unicode Bidirectional Algorithm (bidi). When the flaw is triggered it's possible to manipulate the heap contents, leading to memory corruption causing a denial of service and to arbitrary code execution. The highest threat from this flaw to both data and system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-12-19 14:09:24 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1781218, 1781219, 1781220, 1781221, 1781224, 1781225, 1781226, 1781227, 1784916 | ||
Bug Blocks: | 1768753 |
Description
Dhananjay Arunesh
2019-11-05 07:52:41 UTC
Created fribidi tracking bugs for this issue: Affects: epel-6 [bug 1781219] Affects: fedora-all [bug 1781218] Upstream commit fixing this issue: https://github.com/fribidi/fribidi/commit/034c6e9a1d296286305f4cfd1e0072b879f52568 There's an issue on fribidi when processing isolation levels while facing isolate control charecters. The isolation levels are kept on a heap-allocated array with fixed maximum size, however the amount of isolate characters read is not checked before store the new level in the isolation level array. This weakness may be exploited by creating a crafted text entry leading a heap-based overflow on this array. The overflow can cause DoS, heap memory corruption and potentially arbitrary code execution. Acknowledgments: Name: Alex Murray (Ubuntu Security Team) Do we really need to take care of epel-6? because the version of fribidi in epel-6 is fribidi-0.19.2-2.el6. it looks like the out of the target as it was mentioned at comment#0. On Red Hat Enteprise Linux version the overflow happens on a heap-based buffer instead stack-based as described by the upstream bug report. This happens due to upstream commit: https://github.com/fribidi/fribidi/commit/d989590e124ad995de3598800c8835d819fadf80 commit d989590e124ad995de3598800c8835d819fadf80 Author: Dov Grobgeld <dov.grobgeld> Date: Sat Jun 30 23:15:21 2018 +0300 Reduce dynamic allocations by using arrays for all small arrays. This commit haven't reached fribidi versions shipped with Red Hat Enterprise Linux. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:4326 https://access.redhat.com/errata/RHSA-2019:4326 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-18397 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:4361 https://access.redhat.com/errata/RHSA-2019:4361 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:0291 https://access.redhat.com/errata/RHSA-2020:0291 |