fribidi: Stack-based buffer overflow (CVE-2019-18397)

The vulnerability allows a remote attacker to execute arbitrary code on the target system. The vulnerability exists due to a boundary error in GNU fribidi when processing a large number of unicode isolate directional characters. A remote attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system. Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Affected Versions:

From 1.0.0 to 1.0.7

References:

https://seclists.org/oss-sec/2019/q4/59
https://security-tracker.debian.org/tracker/CVE-2019-18397

Patch:

Fixed by: https://github.com/fribidi/fribidi/commit/034c6e9a1d296286305f4cfd1e0072b879f52568
Introduced by: https://github.com/fribidi/fribidi/commit/f20b6480b9cd46dae8d82a6f95d9c53558fcfd20 (v1.0.0)

Affected branches:

master (0cac7666)
3.10-stable (056e2781)
3.9-stable (e245657e)
3.8-stable (f49f79ef)

Edited Nov 11, 2019 by Leo

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information