4 files changed, 120 insertions, 0 deletions
diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch
new file mode 100644
index 0000000000..8f2c2ade0e
--- /dev/null
+++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch
@@ -0,0 +1,50 @@
+From ad3a19e6372b1e667128ed1ea2f49919884587e1 Mon Sep 17 00:00:00 2001
+From: Akira TAGOH <akira@tagoh.org>
+Date: Thu, 17 Feb 2022 17:30:12 +0900
+Subject: [PATCH] Fix the stack buffer overflow issue
+strlen() could returns 0. Without a conditional check for len,
+accessing S_ pointer with len - 1 may causes a stack buffer overflow.
+AddressSanitizer reports this like:
+==1219243==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdce043c1f at pc 0x000000403547 bp 0x7ffdce0
+43b30 sp 0x7ffdce043b28
+READ of size 1 at 0x7ffdce043c1f thread T0
+    #0 0x403546 in main ../bin/fribidi-main.c:393
+    #1 0x7f226804e58f in __libc_start_call_main (/lib64/libc.so.6+0x2d58f)
+    #2 0x7f226804e648 in __libc_start_main_impl (/lib64/libc.so.6+0x2d648)
+    #3 0x4036f4 in _start (/tmp/fribidi/build/bin/fribidi+0x4036f4)
+Address 0x7ffdce043c1f is located in stack of thread T0 at offset 63 in frame
+    #0 0x4022bf in main ../bin/fribidi-main.c:193
+  This frame has 5 object(s):
+    [32, 36) 'option_index' (line 233)
+    [48, 52) 'base' (line 386)
+    [64, 65064) 'S_' (line 375) <== Memory access at offset 63 underflows this variable
+    [65328, 130328) 'outstring' (line 385)
+    [130592, 390592) 'logical' (line 384)
+This fixes https://github.com/fribidi/fribidi/issues/181
+CVE: CVE-2022-25308
+Upstream-Status: Backport [https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1]
+Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
+---
+ bin/fribidi-main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/bin/fribidi-main.c b/bin/fribidi-main.c
+index 3cf9fe1..3ae4fb6 100644
+--- a/bin/fribidi-main.c
+++ b/bin/fribidi-main.c
+@@ -390,7 +390,7 @@ FRIBIDI_END_IGNORE_DEPRECATIONS
+            S_[sizeof (S_) - 1] = 0;
+            len = strlen (S_);
+            /* chop */
+-           if (S_[len - 1] == '\n')
+           if (len > 0 && S_[len - 1] == '\n')
+              {
+                len--;
+                S_[len] = '\0';
diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch
new file mode 100644
index 0000000000..0efba3d05c
--- /dev/null
+++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch
@@ -0,0 +1,31 @@
+From f22593b82b5d1668d1997dbccd10a9c31ffea3b3 Mon Sep 17 00:00:00 2001
+From: Dov Grobgeld <dov.grobgeld@gmail.com>
+Date: Fri, 25 Mar 2022 09:09:49 +0300
+Subject: [PATCH] Protected against garbage in the CapRTL encoder
+CVE: CVE-2022-25309
+Upstream-Status: Backport [https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3]
+Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
+---
+ lib/fribidi-char-sets-cap-rtl.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+diff --git a/lib/fribidi-char-sets-cap-rtl.c b/lib/fribidi-char-sets-cap-rtl.c
+index b0c0e4a..f74e010 100644
+--- a/lib/fribidi-char-sets-cap-rtl.c
+++ b/lib/fribidi-char-sets-cap-rtl.c
+@@ -232,7 +232,12 @@ fribidi_cap_rtl_to_unicode (
+            }
+        }
+       else
+-       us[j++] = caprtl_to_unicode[(int) s[i]];
+      {
+        if ((int)s[i] < 0)
+          us[j++] = '?';
+        else
+          us[j++] = caprtl_to_unicode[(int) s[i]];
+      }
+     }
+ 
+   return j;
diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch
new file mode 100644
index 0000000000..d79a82d648
--- /dev/null
+++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch
@@ -0,0 +1,30 @@
+From 175850b03e1af251d705c1d04b2b9b3c1c06e48f Mon Sep 17 00:00:00 2001
+From: Akira TAGOH <akira@tagoh.org>
+Date: Thu, 17 Feb 2022 19:06:10 +0900
+Subject: [PATCH] Fix SEGV issue in fribidi_remove_bidi_marks
+Escape from fribidi_remove_bidi_marks() immediately if str is null.
+This fixes https://github.com/fribidi/fribidi/issues/183
+CVE: CVE-2022-25310
+Upstream-Status: Backport [https://github.com/fribidi/fribidi/commit/175850b03e1af251d705c1d04b2b9b3c1c06e48f]
+Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
+---
+ lib/fribidi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/lib/fribidi.c b/lib/fribidi.c
+index f5da0da..70bdab2 100644
+--- a/lib/fribidi.c
+++ b/lib/fribidi.c
+@@ -74,7 +74,7 @@ fribidi_remove_bidi_marks (
+   fribidi_boolean status = false;
+ 
+   if UNLIKELY
+-    (len == 0)
+    (len == 0 || str == NULL)
+     {
+       status = true;
+       goto out;
diff --git a/meta/recipes-support/fribidi/fribidi_1.0.9.bb b/meta/recipes-support/fribidi/fribidi_1.0.9.bb
index 0654b07dc7..62b7d72812 100644
--- a/meta/recipes-support/fribidi/fribidi_1.0.9.bb
+++ b/meta/recipes-support/fribidi/fribidi_1.0.9.bb
@@ -1,9 +1,18 @@
 SUMMARY = "Free Implementation of the Unicode Bidirectional Algorithm"
+DESCRIPTION = "It provides utility functions to aid in the development \
+of interactive editors and widgets that implement BiDi functionality. \
+The BiDi algorithm is a prerequisite for supporting right-to-left scripts such \
+as Hebrew, Arabic, Syriac, and Thaana. "
 SECTION = "libs"
+HOMEPAGE = "http://fribidi.org/"
+BUGTRACKER = "https://github.com/fribidi/fribidi/issues"
 LICENSE = "LGPLv2.1+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=a916467b91076e631dd8edb7424769c7"
 SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.xz \
+           file://CVE-2022-25308.patch \
+           file://CVE-2022-25309.patch \
+           file://CVE-2022-25310.patch \
           "
 SRC_URI[md5sum] = "1b767c259c3cd8e0c8496970f63c22dc"
 SRC_URI[sha256sum] = "c5e47ea9026fb60da1944da9888b4e0a18854a0e2410bbfe7ad90a054d36e0c7"

diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch new file mode 100644 index 0000000000..8f2c2ade0e --- /dev/null +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch
@@ -0,0 +1,50 @@
		1	From ad3a19e6372b1e667128ed1ea2f49919884587e1 Mon Sep 17 00:00:00 2001
		2	From: Akira TAGOH <akira@tagoh.org>
		3	Date: Thu, 17 Feb 2022 17:30:12 +0900
		4	Subject: [PATCH] Fix the stack buffer overflow issue
		5
		6	strlen() could returns 0. Without a conditional check for len,
		7	accessing S_ pointer with len - 1 may causes a stack buffer overflow.
		8
		9	AddressSanitizer reports this like:
		10	==1219243==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdce043c1f at pc 0x000000403547 bp 0x7ffdce0
		11	43b30 sp 0x7ffdce043b28
		12	READ of size 1 at 0x7ffdce043c1f thread T0
		13	#0 0x403546 in main ../bin/fribidi-main.c:393
		14	#1 0x7f226804e58f in __libc_start_call_main (/lib64/libc.so.6+0x2d58f)
		15	#2 0x7f226804e648 in __libc_start_main_impl (/lib64/libc.so.6+0x2d648)
		16	#3 0x4036f4 in _start (/tmp/fribidi/build/bin/fribidi+0x4036f4)
		17
		18	Address 0x7ffdce043c1f is located in stack of thread T0 at offset 63 in frame
		19	#0 0x4022bf in main ../bin/fribidi-main.c:193
		20
		21	This frame has 5 object(s):
		22	[32, 36) 'option_index' (line 233)
		23	[48, 52) 'base' (line 386)
		24	[64, 65064) 'S_' (line 375) <== Memory access at offset 63 underflows this variable
		25	[65328, 130328) 'outstring' (line 385)
		26	[130592, 390592) 'logical' (line 384)
		27
		28	This fixes https://github.com/fribidi/fribidi/issues/181
		29
		30	CVE: CVE-2022-25308
		31	Upstream-Status: Backport [https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1]
		32	Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
		33
		34	---
		35	bin/fribidi-main.c \| 2 +-
		36	1 file changed, 1 insertion(+), 1 deletion(-)
		37
		38	diff --git a/bin/fribidi-main.c b/bin/fribidi-main.c
		39	index 3cf9fe1..3ae4fb6 100644
		40	--- a/bin/fribidi-main.c
		41	+++ b/bin/fribidi-main.c
		42	@@ -390,7 +390,7 @@ FRIBIDI_END_IGNORE_DEPRECATIONS
		43	S_[sizeof (S_) - 1] = 0;
		44	len = strlen (S_);
		45	/* chop */
		46	- if (S_[len - 1] == '\n')
		47	+ if (len > 0 && S_[len - 1] == '\n')
		48	{
		49	len--;
		50	S_[len] = '\0';


diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch new file mode 100644 index 0000000000..0efba3d05c --- /dev/null +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch
@@ -0,0 +1,31 @@
		1	From f22593b82b5d1668d1997dbccd10a9c31ffea3b3 Mon Sep 17 00:00:00 2001
		2	From: Dov Grobgeld <dov.grobgeld@gmail.com>
		3	Date: Fri, 25 Mar 2022 09:09:49 +0300
		4	Subject: [PATCH] Protected against garbage in the CapRTL encoder
		5
		6	CVE: CVE-2022-25309
		7	Upstream-Status: Backport [https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3]
		8	Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
		9
		10	---
		11	lib/fribidi-char-sets-cap-rtl.c \| 7 ++++++-
		12	1 file changed, 6 insertions(+), 1 deletion(-)
		13
		14	diff --git a/lib/fribidi-char-sets-cap-rtl.c b/lib/fribidi-char-sets-cap-rtl.c
		15	index b0c0e4a..f74e010 100644
		16	--- a/lib/fribidi-char-sets-cap-rtl.c
		17	+++ b/lib/fribidi-char-sets-cap-rtl.c
		18	@@ -232,7 +232,12 @@ fribidi_cap_rtl_to_unicode (
		19	}
		20	}
		21	else
		22	- us[j++] = caprtl_to_unicode[(int) s[i]];
		23	+ {
		24	+ if ((int)s[i] < 0)
		25	+ us[j++] = '?';
		26	+ else
		27	+ us[j++] = caprtl_to_unicode[(int) s[i]];
		28	+ }
		29	}
		30
		31	return j;


diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch new file mode 100644 index 0000000000..d79a82d648 --- /dev/null +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch
@@ -0,0 +1,30 @@
		1	From 175850b03e1af251d705c1d04b2b9b3c1c06e48f Mon Sep 17 00:00:00 2001
		2	From: Akira TAGOH <akira@tagoh.org>
		3	Date: Thu, 17 Feb 2022 19:06:10 +0900
		4	Subject: [PATCH] Fix SEGV issue in fribidi_remove_bidi_marks
		5
		6	Escape from fribidi_remove_bidi_marks() immediately if str is null.
		7
		8	This fixes https://github.com/fribidi/fribidi/issues/183
		9
		10	CVE: CVE-2022-25310
		11	Upstream-Status: Backport [https://github.com/fribidi/fribidi/commit/175850b03e1af251d705c1d04b2b9b3c1c06e48f]
		12	Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
		13
		14	---
		15	lib/fribidi.c \| 2 +-
		16	1 file changed, 1 insertion(+), 1 deletion(-)
		17
		18	diff --git a/lib/fribidi.c b/lib/fribidi.c
		19	index f5da0da..70bdab2 100644
		20	--- a/lib/fribidi.c
		21	+++ b/lib/fribidi.c
		22	@@ -74,7 +74,7 @@ fribidi_remove_bidi_marks (
		23	fribidi_boolean status = false;
		24
		25	if UNLIKELY
		26	- (len == 0)
		27	+ (len == 0 \|\| str == NULL)
		28	{
		29	status = true;
		30	goto out;


diff --git a/meta/recipes-support/fribidi/fribidi_1.0.9.bb b/meta/recipes-support/fribidi/fribidi_1.0.9.bb index 0654b07dc7..62b7d72812 100644 --- a/meta/recipes-support/fribidi/fribidi_1.0.9.bb +++ b/meta/recipes-support/fribidi/fribidi_1.0.9.bb
@@ -1,9 +1,18 @@
1	SUMMARY = "Free Implementation of the Unicode Bidirectional Algorithm"	1	SUMMARY = "Free Implementation of the Unicode Bidirectional Algorithm"
		2	DESCRIPTION = "It provides utility functions to aid in the development \
		3	of interactive editors and widgets that implement BiDi functionality. \
		4	The BiDi algorithm is a prerequisite for supporting right-to-left scripts such \
		5	as Hebrew, Arabic, Syriac, and Thaana. "
2	SECTION = "libs"	6	SECTION = "libs"
		7	HOMEPAGE = "http://fribidi.org/"
		8	BUGTRACKER = "https://github.com/fribidi/fribidi/issues"
3	LICENSE = "LGPLv2.1+"	9	LICENSE = "LGPLv2.1+"
4	LIC_FILES_CHKSUM = "file://COPYING;md5=a916467b91076e631dd8edb7424769c7"	10	LIC_FILES_CHKSUM = "file://COPYING;md5=a916467b91076e631dd8edb7424769c7"
5		11
6	SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.xz \	12	SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.xz \
		13	file://CVE-2022-25308.patch \
		14	file://CVE-2022-25309.patch \
		15	file://CVE-2022-25310.patch \
7	"	16	"
8	SRC_URI[md5sum] = "1b767c259c3cd8e0c8496970f63c22dc"	17	SRC_URI[md5sum] = "1b767c259c3cd8e0c8496970f63c22dc"
9	SRC_URI[sha256sum] = "c5e47ea9026fb60da1944da9888b4e0a18854a0e2410bbfe7ad90a054d36e0c7"	18	SRC_URI[sha256sum] = "c5e47ea9026fb60da1944da9888b4e0a18854a0e2410bbfe7ad90a054d36e0c7"