Bug 1768750 (CVE-2019-18397) - CVE-2019-18397 fribidi: buffer overflow in fribidi_get_par_embedding_levels_ex() in lib/fribidi-bidi.c leading to denial of service and possible code execution
Summary: CVE-2019-18397 fribidi: buffer overflow in fribidi_get_par_embedding_levels_e...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-18397
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1781218 1781219 1781220 1781221 1781224 1781225 1781226 1781227 1784916
Blocks: 1768753
TreeView+ depends on / blocked
 
Reported: 2019-11-05 07:52 UTC by Dhananjay Arunesh
Modified: 2021-02-16 21:06 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A heap-based buffer overflow vulnerability was found in GNU FriBidi, an implementation of the Unicode Bidirectional Algorithm (bidi). When the flaw is triggered it's possible to manipulate the heap contents, leading to memory corruption causing a denial of service and to arbitrary code execution. The highest threat from this flaw to both data and system availability.
Clone Of:
Environment:
Last Closed: 2019-12-19 14:09:24 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:0008 0 None None None 2020-01-02 14:33:51 UTC
Red Hat Product Errata RHBA-2020:0019 0 None None None 2020-01-02 15:37:16 UTC
Red Hat Product Errata RHBA-2020:0022 0 None None None 2020-01-06 01:20:17 UTC
Red Hat Product Errata RHBA-2020:0041 0 None None None 2020-01-07 12:58:54 UTC
Red Hat Product Errata RHBA-2020:0042 0 None None None 2020-01-07 13:18:56 UTC
Red Hat Product Errata RHBA-2020:0043 0 None None None 2020-01-07 13:18:40 UTC
Red Hat Product Errata RHBA-2020:0049 0 None None None 2020-01-07 18:34:26 UTC
Red Hat Product Errata RHBA-2020:0050 0 None None None 2020-01-07 20:45:24 UTC
Red Hat Product Errata RHBA-2020:0051 0 None None None 2020-01-07 21:03:52 UTC
Red Hat Product Errata RHBA-2020:0060 0 None None None 2020-01-09 09:23:39 UTC
Red Hat Product Errata RHBA-2020:0081 0 None None None 2020-01-13 11:14:32 UTC
Red Hat Product Errata RHBA-2020:0092 0 None None None 2020-01-13 16:37:03 UTC
Red Hat Product Errata RHBA-2020:0121 0 None None None 2020-01-16 13:09:38 UTC
Red Hat Product Errata RHBA-2020:0158 0 None None None 2020-01-21 02:34:57 UTC
Red Hat Product Errata RHSA-2019:4326 0 None None None 2019-12-19 14:00:24 UTC
Red Hat Product Errata RHSA-2019:4361 0 None None None 2019-12-23 09:28:11 UTC
Red Hat Product Errata RHSA-2020:0291 0 None None None 2020-01-30 09:02:43 UTC

Description Dhananjay Arunesh 2019-11-05 07:52:41 UTC
 A stack buffer overflow in the fribidi_get_par_embedding_levels_ex()
 function in lib/fribidi-bidi.c of GNU FriBidi 1.0.0 through 1.0.7
 allows an attacker to cause a denial of service or possibly execute
 arbitrary code by delivering crafted text content to a user, when this
 content is then rendered by an application that uses FriBidi for text
 layout calculations. Examples include any GNOME or GTK+ based
 application that uses Pango for text rendering, as this internally uses
 FriBidi for bidirectional text layout. For example, the attacker can
 construct a crafted text file to be opened in GEdit, a crafted IRC
 message to be viewed in HexChat or a crafted email to be viewed in
 Evolution.

Comment 1 Marco Benatto 2019-12-09 14:50:50 UTC
Created fribidi tracking bugs for this issue:

Affects: epel-6 [bug 1781219]
Affects: fedora-all [bug 1781218]

Comment 4 Marco Benatto 2019-12-09 14:54:52 UTC
Upstream commit fixing this issue:

https://github.com/fribidi/fribidi/commit/034c6e9a1d296286305f4cfd1e0072b879f52568

Comment 13 Marco Benatto 2019-12-11 21:22:48 UTC
There's an issue on fribidi when processing isolation levels while facing isolate control charecters. The isolation levels are kept on a heap-allocated array with fixed maximum size, however the amount of isolate characters read is not checked before store the new level in the isolation level array. This weakness may be exploited by creating a crafted text entry leading a heap-based overflow on this array. The overflow can cause DoS, heap memory corruption and potentially arbitrary code execution.

Comment 14 Marco Benatto 2019-12-11 22:19:16 UTC
Acknowledgments:

Name: Alex Murray (Ubuntu Security Team)

Comment 15 Akira TAGOH 2019-12-18 09:06:28 UTC
Do we really need to take care of epel-6? because the version of fribidi in epel-6 is fribidi-0.19.2-2.el6. it looks like the out of the target as it was mentioned at comment#0.

Comment 18 Marco Benatto 2019-12-18 15:41:46 UTC
On Red Hat Enteprise Linux version the overflow happens on a heap-based buffer instead stack-based as described by the upstream bug report.
This happens due to upstream commit:

https://github.com/fribidi/fribidi/commit/d989590e124ad995de3598800c8835d819fadf80
commit d989590e124ad995de3598800c8835d819fadf80
Author: Dov Grobgeld <dov.grobgeld>
Date:   Sat Jun 30 23:15:21 2018 +0300

    Reduce dynamic allocations by using arrays for all small arrays.


This commit haven't reached fribidi versions shipped with Red Hat Enterprise Linux.

Comment 20 errata-xmlrpc 2019-12-19 14:00:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:4326 https://access.redhat.com/errata/RHSA-2019:4326

Comment 21 Product Security DevOps Team 2019-12-19 14:09:24 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-18397

Comment 23 errata-xmlrpc 2019-12-23 09:28:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:4361 https://access.redhat.com/errata/RHSA-2019:4361

Comment 34 errata-xmlrpc 2020-01-30 09:02:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0291 https://access.redhat.com/errata/RHSA-2020:0291


Note You need to log in before you can comment on or make changes to this bug.