Fedora has issued an advisory today (April 5): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KXPSWMHAII3BETNRQAOH2TQ7ZPJAMEDT/ Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Patches available from Fedora
'fribidi' has been maintained by different people, so assigning this globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Stack based buffer overflow. (CVE-2022-25308) Heap-buffer-overflow in fribidi_cap_rtl_to_unicode. (CVE-2022-25309) SEGV in fribidi_remove_bidi_marks. (CVE-2022-25310) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25308 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25309 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25310 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KXPSWMHAII3BETNRQAOH2TQ7ZPJAMEDT/ ======================== Updated packages in core/updates_testing: ======================== lib(64)fribidi0-1.0.10-1.1.mga8 lib(64)fribidi-devel-1.0.10-1.1.mga8 fribidi-1.0.10-1.1.mga8 from SRPM: fribidi-1.0.10-1.1.mga8.src.rpm
CC: (none) => nicolas.salgueroStatus: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsCVE: (none) => CVE-2022-25308, CVE-2022-25309, CVE-2022-25310Status comment: Patches available from Fedora => (none)Whiteboard: MGA8TOO => (none)Version: Cauldron => 8
MGA8-64 Plasma on Lenovo B50 in Dutch No installation issues. Re bug 25673 Comment 6 for testting. $ fribidi --help Usage: fribidi [OPTION]... [FILE]... A command line interface for the GNU FriBidi library. Convert a logical string to visual. -h, --help Display this information and exit -V, --version Display version information and exit -v, --verbose Verbose mode, same as --basedir --ltov --vtol --levels -d, --debug Output debug information -t, --test Test GNU FriBidi, same as --clean --nobreak --showinput --reordernsm --width 80 and more ..... $ fribidi --version fribidi (GNU FriBidi) 1.0.10 interface version 4, Unicode Character Database version 10.0.0, Configure options. Copyright (C) 2004 Sharif FarsiWeb, Inc. Copyright (C) 2001, 2002, 2004, 2005 Behdad Esfahbod Copyright (C) 1999, 2000, 2017, 2018, 2019 Dov Grobgeld GNU FriBidi comes with NO WARRANTY, to the extent permitted by law. You may redistribute copies of GNU FriBidi under the terms of the GNU Lesser General Public License. For more information about these matters, see the file named COPYING. Written by Behdad Esfahbod and Dov Grobgeld. And trace of aisleriot shows call to /lib64/libfribidi.so.0. Good to go for me.
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
Validating. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0136.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED