Bug 30249

Summary: fribidi new security issues CVE-2022-2530[89] and CVE-2022-25310
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: fribidi-1.0.11-2.mga9.src.rpm CVE: CVE-2022-25308, CVE-2022-25309, CVE-2022-25310
Status comment:

Description David Walser 2022-04-05 18:34:11 CEST 
Fedora has issued an advisory today (April 5):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KXPSWMHAII3BETNRQAOH2TQ7ZPJAMEDT/

Mageia 8 is also affected.
David Walser 2022-04-05 18:34:22 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patches available from Fedora

Comment 1 Lewis Smith 2022-04-05 19:34:46 CEST 
'fribidi' has been maintained by different people, so assigning this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2022-04-06 10:45:53 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Stack based buffer overflow. (CVE-2022-25308)

Heap-buffer-overflow in fribidi_cap_rtl_to_unicode. (CVE-2022-25309)

SEGV in fribidi_remove_bidi_marks. (CVE-2022-25310)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25308
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25309
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25310
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KXPSWMHAII3BETNRQAOH2TQ7ZPJAMEDT/
========================

Updated packages in core/updates_testing:
========================
lib(64)fribidi0-1.0.10-1.1.mga8
lib(64)fribidi-devel-1.0.10-1.1.mga8
fribidi-1.0.10-1.1.mga8

from SRPM:
fribidi-1.0.10-1.1.mga8.src.rpm

CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
CVE: (none) => CVE-2022-25308, CVE-2022-25309, CVE-2022-25310
Status comment: Patches available from Fedora => (none)
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 3 Herman Viaene 2022-04-08 14:06:11 CEST 
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
Re bug 25673 Comment 6 for testting.
$ fribidi --help
Usage: fribidi [OPTION]... [FILE]...
A command line interface for the GNU FriBidi library.
Convert a logical string to visual.

  -h, --help            Display this information and exit
  -V, --version         Display version information and exit
  -v, --verbose         Verbose mode, same as --basedir --ltov --vtol
                        --levels
  -d, --debug           Output debug information
  -t, --test            Test GNU FriBidi, same as --clean --nobreak
                        --showinput --reordernsm --width 80
and more .....

$ fribidi --version
fribidi (GNU FriBidi) 1.0.10
interface version 4,
Unicode Character Database version 10.0.0,
Configure options.

Copyright (C) 2004  Sharif FarsiWeb, Inc.
Copyright (C) 2001, 2002, 2004, 2005  Behdad Esfahbod
Copyright (C) 1999, 2000, 2017, 2018, 2019  Dov Grobgeld
GNU FriBidi comes with NO WARRANTY, to the extent permitted by law.
You may redistribute copies of GNU FriBidi under
the terms of the GNU Lesser General Public License.
For more information about these matters, see the file named COPYING.

Written by Behdad Esfahbod and Dov Grobgeld.

And trace of aisleriot shows call to /lib64/libfribidi.so.0.

Good to go for me.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2022-04-09 00:07:16 CEST 
Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-04-09 19:48:38 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2022-04-09 23:21:57 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0136.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED