Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <87zhh6a5rk.fsf@canonical.com>
Date: Fri, 08 Nov 2019 23:23:35 +1030
From: Alex Murray <alex.murray@...onical.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2019-18397 - Stack buffer overflow in GNU FriBidi >= 1.0.0

CVE-2019-18397 - GNU FriBidi stack buffer overflow >= 1.0.0
-----------------------------------------------------------

Overview:
 A stack buffer overflow in the fribidi_get_par_embedding_levels_ex()
 function in lib/fribidi-bidi.c of GNU FriBidi 1.0.0 through 1.0.7
 allows an attacker to cause a denial of service or possibly execute
 arbitrary code by delivering crafted text content to a user, when this
 content is then rendered by an application that uses FriBidi for text
 layout calculations. Examples include any GNOME or GTK+ based
 application that uses Pango for text rendering, as this internally uses
 FriBidi for bidirectional text layout. For example, the attacker can
 construct a crafted text file to be opened in GEdit, a crafted IRC
 message to be viewed in HexChat or a crafted email to be viewed in
 Evolution.

Detailed analysis:
 The function fribidi_get_par_embedding_levels_ex()
 in lib/fribidi-bidi.c of GNU FriBidi 1.0.0 through 1.0.7 contains a
 fixed size buffer base_level_per_iso_level which is used to accumulate
 the current isolate level while calculating the bi-directional
 embedding levels of the requested text paragraph.

 ...
 FriBidiLevel base_level_per_iso_level[FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL];
 ...

 When accumulating into this buffer, the index is incremented without
 any check for overflow of the buffer length, resulting in a stack
 buffer overflow when processing more then
 FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL elements.

 ...
          RL_ISOLATE_LEVEL (pp) = isolate_level++;
          base_level_per_iso_level[isolate_level] = new_level;
 ...

 This is fixed by checking the current value of isolate_level against
 the size of base_level_per_iso_level
 (ie. FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL) to ensure this is only
 incremented when it will not subsequently overflow the bounds of the
 array.

Affected Versions:
 From 1.0.0 to 1.0.7 (no official upstream release has been made
 containing the fix)

References:
 https://github.com/fribidi/fribidi/commit/034c6e9a1d296286305f4cfd1e0072b879f52568

CRD:
 2019-11-07 17:00 UTC

Credit:
 Alex Murray of the Ubuntu Security Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.