Bug 25673

Summary: fribidi new security issue CVE-2019-18397
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, herman.viaene, shlomif, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: fribidi-1.0.7-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2019-11-09 15:10:35 CET 
An advisory has been issued on November 8:
https://www.openwall.com/lists/oss-security/2019/11/08/5

The message above has a link to the upstream commit that fixes the issue.

Mageia 7 is also affected.
David Walser 2019-11-09 15:10:43 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2019-11-09 21:59:41 CET 
Assigning to Shlomi as the package's maintainer.

Assignee: bugsquad => shlomif

David Walser 2019-11-09 22:00:44 CET

Assignee: shlomif => pkg-bugs
CC: (none) => shlomif

Comment 2 David GEIGER 2019-11-10 02:36:51 CET 
Done!

CC: (none) => geiger.david68210

Comment 3 David Walser 2019-11-10 17:53:34 CET 
Advisory:
========================

Updated fribidi packages fix security vulnerability:

A stack buffer overflow in the fribidi_get_par_embedding_levels_ex() function
in lib/fribidi-bidi.c of GNU FriBidi 1.0.0 through 1.0.7 allows an attacker to
cause a denial of service or possibly execute arbitrary code by delivering
crafted text content to a user, when this content is then rendered by an
application that uses FriBidi for text layout calculations (CVE-2019-18397).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18397
https://www.openwall.com/lists/oss-security/2019/11/08/5
========================

Updated packages in core/updates_testing:
========================
fribidi-1.0.5-2.1.mga7
libfribidi0-1.0.5-2.1.mga7
libfribidi-devel-1.0.5-2.1.mga7

from fribidi-1.0.5-2.1.mga7.src.rpm

Version: Cauldron => 7
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA7TOO => (none)

Comment 4 David Walser 2019-11-10 18:41:09 CET 
Debian has issued an advisory for this on November 8:
https://www.debian.org/security/2019/dsa-4561
Comment 5 David Walser 2019-11-10 18:42:58 CET 
Ubuntu has issued an advisory for this on November 7:
https://usn.ubuntu.com/4179-1/

Severity: normal => major

Comment 6 Herman Viaene 2019-11-11 10:27:02 CET 
MGA7-64 Plasma on Lenovo B50
Installing draws in some glibc stuff, so restarted after installing the update.
Tried some commands:
$ fribidi --hel
Usage: fribidi [OPTION]... [FILE]...
A command line interface for the GNU FriBidi library.
Convert a logical string to visual.

  -h, --help            Display this information and exit
  -V, --version         Display version information and exit
  -v, --verbose         Verbose mode, same as --basedir --ltov --vtol
                        --levels --changes
and more ....
$ fribidi --version
fribidi (GNU FriBidi) 1.0.5
interface version 4,
Unicode Character Database version 10.0.0,
and more

Trying to find a direct dependency on fribidi just gives
# urpmq --whatrequires fribidi
fribidi
lib64fribidi0
lib64fribidi0

So tried
# urpmq --whatrequires-recursive fribidi | more
This listed many, many packages, including my beloved aisleriot
So
$ strace -o fribidi.txt sol
and found in the trace file:


openat(AT_FDCWD, "/lib64/libfribidi.so.0", O_RDONLY|O_CLOEXEC) = 3

That should do it.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 7 Thomas Andrews 2019-11-14 01:58:44 CET 
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-11-14 16:27:42 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 8 Mageia Robot 2019-11-14 18:00:40 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0325.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED