An advisory has been issued on November 8: https://www.openwall.com/lists/oss-security/2019/11/08/5 The message above has a link to the upstream commit that fixes the issue. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Assigning to Shlomi as the package's maintainer.
Assignee: bugsquad => shlomif
Assignee: shlomif => pkg-bugsCC: (none) => shlomif
Done!
CC: (none) => geiger.david68210
Advisory: ======================== Updated fribidi packages fix security vulnerability: A stack buffer overflow in the fribidi_get_par_embedding_levels_ex() function in lib/fribidi-bidi.c of GNU FriBidi 1.0.0 through 1.0.7 allows an attacker to cause a denial of service or possibly execute arbitrary code by delivering crafted text content to a user, when this content is then rendered by an application that uses FriBidi for text layout calculations (CVE-2019-18397). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18397 https://www.openwall.com/lists/oss-security/2019/11/08/5 ======================== Updated packages in core/updates_testing: ======================== fribidi-1.0.5-2.1.mga7 libfribidi0-1.0.5-2.1.mga7 libfribidi-devel-1.0.5-2.1.mga7 from fribidi-1.0.5-2.1.mga7.src.rpm
Version: Cauldron => 7Assignee: pkg-bugs => qa-bugsWhiteboard: MGA7TOO => (none)
Debian has issued an advisory for this on November 8: https://www.debian.org/security/2019/dsa-4561
Ubuntu has issued an advisory for this on November 7: https://usn.ubuntu.com/4179-1/
Severity: normal => major
MGA7-64 Plasma on Lenovo B50 Installing draws in some glibc stuff, so restarted after installing the update. Tried some commands: $ fribidi --hel Usage: fribidi [OPTION]... [FILE]... A command line interface for the GNU FriBidi library. Convert a logical string to visual. -h, --help Display this information and exit -V, --version Display version information and exit -v, --verbose Verbose mode, same as --basedir --ltov --vtol --levels --changes and more .... $ fribidi --version fribidi (GNU FriBidi) 1.0.5 interface version 4, Unicode Character Database version 10.0.0, and more Trying to find a direct dependency on fribidi just gives # urpmq --whatrequires fribidi fribidi lib64fribidi0 lib64fribidi0 So tried # urpmq --whatrequires-recursive fribidi | more This listed many, many packages, including my beloved aisleriot So $ strace -o fribidi.txt sol and found in the trace file: openat(AT_FDCWD, "/lib64/libfribidi.so.0", O_RDONLY|O_CLOEXEC) = 3 That should do it.
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0325.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED