fribidi-1.0.4-9.el8

エラータID: AXSA:2022-4162:01

Release date: 
Friday, November 25, 2022 - 10:45
Subject: 
fribidi-1.0.4-9.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

FriBidi is a library to handle bidirectional scripts (for example Hebrew, Arabic), so that the display is done in the proper way, while the text data itself is always written in logical order.

Security Fix(es):

* fribidi: Stack based buffer overflow (CVE-2022-25308)
* fribidi: Heap-buffer-overflow in fribidi_cap_rtl_to_unicode (CVE-2022-25309)
* fribidi: SEGV in fribidi_remove_bidi_marks (CVE-2022-25310)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Asianux Server 8.7 Release Notes linked from the References section.

CVE-2022-25308
A stack-based buffer overflow flaw was found in the Fribidi package. This flaw allows an attacker to pass a specially crafted file to the Fribidi application, which leads to a possible memory leak or a denial of service.
CVE-2022-25309
A heap-based buffer overflow flaw was found in the Fribidi package and affects the fribidi_cap_rtl_to_unicode() function of the fribidi-char-sets-cap-rtl.c file. This flaw allows an attacker to pass a specially crafted file to the Fribidi application with the '--caprtl' option, leading to a crash and causing a denial of service.
CVE-2022-25310
A segmentation fault (SEGV) flaw was found in the Fribidi package and affects the fribidi_remove_bidi_marks() function of the lib/fribidi.c file. This flaw allows an attacker to pass a specially crafted file to Fribidi, leading to a crash and causing a denial of service.

Solution: 

Update packages.

CVEs: 
CVE-2022-25308
A stack-based buffer overflow flaw was found in the Fribidi package. This flaw allows an attacker to pass a specially crafted file to the Fribidi application, which leads to a possible memory leak or a denial of service.
CVE-2022-25309
A heap-based buffer overflow flaw was found in the Fribidi package and affects the fribidi_cap_rtl_to_unicode() function of the fribidi-char-sets-cap-rtl.c file. This flaw allows an attacker to pass a specially crafted file to the Fribidi application with the '--caprtl' option, leading to a crash and causing a denial of service.
CVE-2022-25310
A segmentation fault (SEGV) flaw was found in the Fribidi package and affects the fribidi_remove_bidi_marks() function of the lib/fribidi.c file. This flaw allows an attacker to pass a specially crafted file to Fribidi, leading to a crash and causing a denial of service.
Additional Info: 

N/A

Download: 

SRPMS
  1. fribidi-1.0.4-9.el8.src.rpm
    MD5: 577bc94337dd1882e51ecd3ab4415898
    SHA-256: a44041f9f743e0dfb36cf27527991bd1fafc87344c61e441887ecbc5061c2bf3
    Size: 1.36 MB

Asianux Server 8 for x86_64
  1. fribidi-1.0.4-9.el8.x86_64.rpm
    MD5: 666cef51d7fba9b1ba02830f6db03232
    SHA-256: 645c0ec6e0fe12e7ebf56fb2e18b67980d173bd42c88147b405d3fd358fe92e3
    Size: 88.37 kB
  2. fribidi-devel-1.0.4-9.el8.x86_64.rpm
    MD5: e83307ed8e24232619e6a2106cfba814
    SHA-256: a5b1a2ff36c6785708f28fb20c58e2826bc8386b764f796673ad183cb36f2238
    Size: 62.60 kB
  3. fribidi-1.0.4-9.el8.i686.rpm
    MD5: 1f928157799d482cc430a5ac0578f941
    SHA-256: efbf6aa337d04026b6def66b16abbaa3c2ec94f42dd4eb61faed35c69fefd18d
    Size: 88.91 kB
  4. fribidi-devel-1.0.4-9.el8.i686.rpm
    MD5: 3f7b9c0412a7f236f32cd25c75198a1e
    SHA-256: 750e80f8f57c61f171c9200390c5926ecc40eb9479d157e79eb9f4330f87b1e4
    Size: 62.62 kB