fribidi-1.0.10-6.el9.2

エラータID: AXSA:2022-4472:02

Release date: 
Tuesday, December 20, 2022 - 11:46
Subject: 
fribidi-1.0.10-6.el9.2
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

FriBidi is a library to handle bidirectional scripts (for example Hebrew, Arabic), so that the display is done in the proper way, while the text data itself is always written in logical order.

Security Fix(es):

* fribidi: Stack based buffer overflow (CVE-2022-25308)
* fribidi: Heap-buffer-overflow in fribidi_cap_rtl_to_unicode (CVE-2022-25309)
* fribidi: SEGV in fribidi_remove_bidi_marks (CVE-2022-25310)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the MIRACLE LINUX 9.1 Release Notes linked from the References section.

CVE-2022-25308
A stack-based buffer overflow flaw was found in the Fribidi package. This flaw allows an attacker to pass a specially crafted file to the Fribidi application, which leads to a possible memory leak or a denial of service.
CVE-2022-25309
A heap-based buffer overflow flaw was found in the Fribidi package and affects the fribidi_cap_rtl_to_unicode() function of the fribidi-char-sets-cap-rtl.c file. This flaw allows an attacker to pass a specially crafted file to the Fribidi application with the '--caprtl' option, leading to a crash and causing a denial of service.
CVE-2022-25310
A segmentation fault (SEGV) flaw was found in the Fribidi package and affects the fribidi_remove_bidi_marks() function of the lib/fribidi.c file. This flaw allows an attacker to pass a specially crafted file to Fribidi, leading to a crash and causing a denial of service.

Solution: 

Update packages.

CVEs: 
CVE-2022-25308
A stack-based buffer overflow flaw was found in the Fribidi package. This flaw allows an attacker to pass a specially crafted file to the Fribidi application, which leads to a possible memory leak or a denial of service.
CVE-2022-25309
A heap-based buffer overflow flaw was found in the Fribidi package and affects the fribidi_cap_rtl_to_unicode() function of the fribidi-char-sets-cap-rtl.c file. This flaw allows an attacker to pass a specially crafted file to the Fribidi application with the '--caprtl' option, leading to a crash and causing a denial of service.
CVE-2022-25310
A segmentation fault (SEGV) flaw was found in the Fribidi package and affects the fribidi_remove_bidi_marks() function of the lib/fribidi.c file. This flaw allows an attacker to pass a specially crafted file to Fribidi, leading to a crash and causing a denial of service.
Additional Info: 

N/A

Download: 

SRPMS
  1. fribidi-1.0.10-6.el9.2.src.rpm
    MD5: 7a30e7af84cc9f35074d2e69d2d29a54
    SHA-256: 5722a2ed73aa7671612cbfecbdf41a354ea1f9d7fa089b37c01dcfb1234365f5
    Size: 1.12 MB

Asianux Server 9 for x86_64
  1. fribidi-1.0.10-6.el9.2.x86_64.rpm
    MD5: d8dda6274231a0c91ec9eeb34c218ac7
    SHA-256: f2f3d7d7597762a082c6a46941167cb03d40c2e3b717cf1bc4bb1e6addfb0048
    Size: 83.85 kB
  2. fribidi-devel-1.0.10-6.el9.2.x86_64.rpm
    MD5: 37dbf1ef24a518669e84a2b749d5b11b
    SHA-256: a5c4f5fe6cce3b460740f5915cca1316986c749a13764bfe8e2f8e61eef63dbd
    Size: 24.71 kB
  3. fribidi-1.0.10-6.el9.2.i686.rpm
    MD5: b4cfa97792413ff0ad7f4231cc884091
    SHA-256: 7e39664648d3a8617c0960c3d605d3d45eb7970222830c145fac7f8ce3698570
    Size: 84.29 kB
  4. fribidi-devel-1.0.10-6.el9.2.i686.rpm
    MD5: b3101037efa4bf02976d405db62aeacb
    SHA-256: 9a682a9aa13a528a7b561543a62e3b2286b8880ad5432c2c5a447542ffc7faae
    Size: 24.72 kB