A stack buffer overflow in the fribidi_get_par_embedding_levels_ex() function in lib/fribidi-bidi.c of GNU FriBidi 1.0.0 through 1.0.7 allows an attacker to cause a denial of service or possibly execute arbitrary code by delivering crafted text content to a user, when this content is then rendered by an application that uses FriBidi for text layout calculations. Examples include any GNOME or GTK+ based application that uses Pango for text rendering, as this internally uses FriBidi for bidirectional text layout. For example, the attacker can construct a crafted text file to be opened in GEdit, a crafted IRC message to be viewed in HexChat or a crafted email to be viewed in Evolution.
Created fribidi tracking bugs for this issue: Affects: epel-6 [bug 1781219] Affects: fedora-all [bug 1781218]
Upstream commit fixing this issue: https://github.com/fribidi/fribidi/commit/034c6e9a1d296286305f4cfd1e0072b879f52568
There's an issue on fribidi when processing isolation levels while facing isolate control charecters. The isolation levels are kept on a heap-allocated array with fixed maximum size, however the amount of isolate characters read is not checked before store the new level in the isolation level array. This weakness may be exploited by creating a crafted text entry leading a heap-based overflow on this array. The overflow can cause DoS, heap memory corruption and potentially arbitrary code execution.
Acknowledgments: Name: Alex Murray (Ubuntu Security Team)
Do we really need to take care of epel-6? because the version of fribidi in epel-6 is fribidi-0.19.2-2.el6. it looks like the out of the target as it was mentioned at comment#0.
On Red Hat Enteprise Linux version the overflow happens on a heap-based buffer instead stack-based as described by the upstream bug report. This happens due to upstream commit: https://github.com/fribidi/fribidi/commit/d989590e124ad995de3598800c8835d819fadf80 commit d989590e124ad995de3598800c8835d819fadf80 Author: Dov Grobgeld <dov.grobgeld> Date: Sat Jun 30 23:15:21 2018 +0300 Reduce dynamic allocations by using arrays for all small arrays. This commit haven't reached fribidi versions shipped with Red Hat Enterprise Linux.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:4326 https://access.redhat.com/errata/RHSA-2019:4326
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-18397
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:4361 https://access.redhat.com/errata/RHSA-2019:4361
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:0291 https://access.redhat.com/errata/RHSA-2020:0291