diff options
Diffstat (limited to 'meta/recipes-support/fribidi')
4 files changed, 120 insertions, 0 deletions
diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch new file mode 100644 index 0000000000..8f2c2ade0e --- /dev/null +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | From ad3a19e6372b1e667128ed1ea2f49919884587e1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Akira TAGOH <akira@tagoh.org> | ||
3 | Date: Thu, 17 Feb 2022 17:30:12 +0900 | ||
4 | Subject: [PATCH] Fix the stack buffer overflow issue | ||
5 | |||
6 | strlen() could returns 0. Without a conditional check for len, | ||
7 | accessing S_ pointer with len - 1 may causes a stack buffer overflow. | ||
8 | |||
9 | AddressSanitizer reports this like: | ||
10 | ==1219243==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdce043c1f at pc 0x000000403547 bp 0x7ffdce0 | ||
11 | 43b30 sp 0x7ffdce043b28 | ||
12 | READ of size 1 at 0x7ffdce043c1f thread T0 | ||
13 | #0 0x403546 in main ../bin/fribidi-main.c:393 | ||
14 | #1 0x7f226804e58f in __libc_start_call_main (/lib64/libc.so.6+0x2d58f) | ||
15 | #2 0x7f226804e648 in __libc_start_main_impl (/lib64/libc.so.6+0x2d648) | ||
16 | #3 0x4036f4 in _start (/tmp/fribidi/build/bin/fribidi+0x4036f4) | ||
17 | |||
18 | Address 0x7ffdce043c1f is located in stack of thread T0 at offset 63 in frame | ||
19 | #0 0x4022bf in main ../bin/fribidi-main.c:193 | ||
20 | |||
21 | This frame has 5 object(s): | ||
22 | [32, 36) 'option_index' (line 233) | ||
23 | [48, 52) 'base' (line 386) | ||
24 | [64, 65064) 'S_' (line 375) <== Memory access at offset 63 underflows this variable | ||
25 | [65328, 130328) 'outstring' (line 385) | ||
26 | [130592, 390592) 'logical' (line 384) | ||
27 | |||
28 | This fixes https://github.com/fribidi/fribidi/issues/181 | ||
29 | |||
30 | CVE: CVE-2022-25308 | ||
31 | Upstream-Status: Backport [https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1] | ||
32 | Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> | ||
33 | |||
34 | --- | ||
35 | bin/fribidi-main.c | 2 +- | ||
36 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
37 | |||
38 | diff --git a/bin/fribidi-main.c b/bin/fribidi-main.c | ||
39 | index 3cf9fe1..3ae4fb6 100644 | ||
40 | --- a/bin/fribidi-main.c | ||
41 | +++ b/bin/fribidi-main.c | ||
42 | @@ -390,7 +390,7 @@ FRIBIDI_END_IGNORE_DEPRECATIONS | ||
43 | S_[sizeof (S_) - 1] = 0; | ||
44 | len = strlen (S_); | ||
45 | /* chop */ | ||
46 | - if (S_[len - 1] == '\n') | ||
47 | + if (len > 0 && S_[len - 1] == '\n') | ||
48 | { | ||
49 | len--; | ||
50 | S_[len] = '\0'; | ||
diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch new file mode 100644 index 0000000000..0efba3d05c --- /dev/null +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | From f22593b82b5d1668d1997dbccd10a9c31ffea3b3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Dov Grobgeld <dov.grobgeld@gmail.com> | ||
3 | Date: Fri, 25 Mar 2022 09:09:49 +0300 | ||
4 | Subject: [PATCH] Protected against garbage in the CapRTL encoder | ||
5 | |||
6 | CVE: CVE-2022-25309 | ||
7 | Upstream-Status: Backport [https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3] | ||
8 | Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> | ||
9 | |||
10 | --- | ||
11 | lib/fribidi-char-sets-cap-rtl.c | 7 ++++++- | ||
12 | 1 file changed, 6 insertions(+), 1 deletion(-) | ||
13 | |||
14 | diff --git a/lib/fribidi-char-sets-cap-rtl.c b/lib/fribidi-char-sets-cap-rtl.c | ||
15 | index b0c0e4a..f74e010 100644 | ||
16 | --- a/lib/fribidi-char-sets-cap-rtl.c | ||
17 | +++ b/lib/fribidi-char-sets-cap-rtl.c | ||
18 | @@ -232,7 +232,12 @@ fribidi_cap_rtl_to_unicode ( | ||
19 | } | ||
20 | } | ||
21 | else | ||
22 | - us[j++] = caprtl_to_unicode[(int) s[i]]; | ||
23 | + { | ||
24 | + if ((int)s[i] < 0) | ||
25 | + us[j++] = '?'; | ||
26 | + else | ||
27 | + us[j++] = caprtl_to_unicode[(int) s[i]]; | ||
28 | + } | ||
29 | } | ||
30 | |||
31 | return j; | ||
diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch new file mode 100644 index 0000000000..d79a82d648 --- /dev/null +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch | |||
@@ -0,0 +1,30 @@ | |||
1 | From 175850b03e1af251d705c1d04b2b9b3c1c06e48f Mon Sep 17 00:00:00 2001 | ||
2 | From: Akira TAGOH <akira@tagoh.org> | ||
3 | Date: Thu, 17 Feb 2022 19:06:10 +0900 | ||
4 | Subject: [PATCH] Fix SEGV issue in fribidi_remove_bidi_marks | ||
5 | |||
6 | Escape from fribidi_remove_bidi_marks() immediately if str is null. | ||
7 | |||
8 | This fixes https://github.com/fribidi/fribidi/issues/183 | ||
9 | |||
10 | CVE: CVE-2022-25310 | ||
11 | Upstream-Status: Backport [https://github.com/fribidi/fribidi/commit/175850b03e1af251d705c1d04b2b9b3c1c06e48f] | ||
12 | Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> | ||
13 | |||
14 | --- | ||
15 | lib/fribidi.c | 2 +- | ||
16 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
17 | |||
18 | diff --git a/lib/fribidi.c b/lib/fribidi.c | ||
19 | index f5da0da..70bdab2 100644 | ||
20 | --- a/lib/fribidi.c | ||
21 | +++ b/lib/fribidi.c | ||
22 | @@ -74,7 +74,7 @@ fribidi_remove_bidi_marks ( | ||
23 | fribidi_boolean status = false; | ||
24 | |||
25 | if UNLIKELY | ||
26 | - (len == 0) | ||
27 | + (len == 0 || str == NULL) | ||
28 | { | ||
29 | status = true; | ||
30 | goto out; | ||
diff --git a/meta/recipes-support/fribidi/fribidi_1.0.9.bb b/meta/recipes-support/fribidi/fribidi_1.0.9.bb index 0654b07dc7..62b7d72812 100644 --- a/meta/recipes-support/fribidi/fribidi_1.0.9.bb +++ b/meta/recipes-support/fribidi/fribidi_1.0.9.bb | |||
@@ -1,9 +1,18 @@ | |||
1 | SUMMARY = "Free Implementation of the Unicode Bidirectional Algorithm" | 1 | SUMMARY = "Free Implementation of the Unicode Bidirectional Algorithm" |
2 | DESCRIPTION = "It provides utility functions to aid in the development \ | ||
3 | of interactive editors and widgets that implement BiDi functionality. \ | ||
4 | The BiDi algorithm is a prerequisite for supporting right-to-left scripts such \ | ||
5 | as Hebrew, Arabic, Syriac, and Thaana. " | ||
2 | SECTION = "libs" | 6 | SECTION = "libs" |
7 | HOMEPAGE = "http://fribidi.org/" | ||
8 | BUGTRACKER = "https://github.com/fribidi/fribidi/issues" | ||
3 | LICENSE = "LGPLv2.1+" | 9 | LICENSE = "LGPLv2.1+" |
4 | LIC_FILES_CHKSUM = "file://COPYING;md5=a916467b91076e631dd8edb7424769c7" | 10 | LIC_FILES_CHKSUM = "file://COPYING;md5=a916467b91076e631dd8edb7424769c7" |
5 | 11 | ||
6 | SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.xz \ | 12 | SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.xz \ |
13 | file://CVE-2022-25308.patch \ | ||
14 | file://CVE-2022-25309.patch \ | ||
15 | file://CVE-2022-25310.patch \ | ||
7 | " | 16 | " |
8 | SRC_URI[md5sum] = "1b767c259c3cd8e0c8496970f63c22dc" | 17 | SRC_URI[md5sum] = "1b767c259c3cd8e0c8496970f63c22dc" |
9 | SRC_URI[sha256sum] = "c5e47ea9026fb60da1944da9888b4e0a18854a0e2410bbfe7ad90a054d36e0c7" | 18 | SRC_URI[sha256sum] = "c5e47ea9026fb60da1944da9888b4e0a18854a0e2410bbfe7ad90a054d36e0c7" |