[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2019-18397 - Stack buffer overflow in GNU FriBidi >= 1.0.0
From: Alex Murray <alex.murray () canonical ! com>
Date: 2019-11-08 13:05:35
Message-ID: 87zhh6a5rk.fsf () canonical ! com
[Download RAW message or body]
CVE-2019-18397 - GNU FriBidi stack buffer overflow >= 1.0.0
-----------------------------------------------------------
Overview:
A stack buffer overflow in the fribidi_get_par_embedding_levels_ex()
function in lib/fribidi-bidi.c of GNU FriBidi 1.0.0 through 1.0.7
allows an attacker to cause a denial of service or possibly execute
arbitrary code by delivering crafted text content to a user, when this
content is then rendered by an application that uses FriBidi for text
layout calculations. Examples include any GNOME or GTK+ based
application that uses Pango for text rendering, as this internally uses
FriBidi for bidirectional text layout. For example, the attacker can
construct a crafted text file to be opened in GEdit, a crafted IRC
message to be viewed in HexChat or a crafted email to be viewed in
Evolution.
Detailed analysis:
The function fribidi_get_par_embedding_levels_ex()
in lib/fribidi-bidi.c of GNU FriBidi 1.0.0 through 1.0.7 contains a
fixed size buffer base_level_per_iso_level which is used to accumulate
the current isolate level while calculating the bi-directional
embedding levels of the requested text paragraph.
...
FriBidiLevel base_level_per_iso_level[FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL];
...
When accumulating into this buffer, the index is incremented without
any check for overflow of the buffer length, resulting in a stack
buffer overflow when processing more then
FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL elements.
...
RL_ISOLATE_LEVEL (pp) = isolate_level++;
base_level_per_iso_level[isolate_level] = new_level;
...
This is fixed by checking the current value of isolate_level against
the size of base_level_per_iso_level
(ie. FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL) to ensure this is only
incremented when it will not subsequently overflow the bounds of the
array.
Affected Versions:
From 1.0.0 to 1.0.7 (no official upstream release has been made
containing the fix)
References:
https://github.com/fribidi/fribidi/commit/034c6e9a1d296286305f4cfd1e0072b879f52568
CRD:
2019-11-07 17:00 UTC
Credit:
Alex Murray of the Ubuntu Security Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic