diff --git a/SOURCES/fribidi-CVE-2019-18397.patch b/SOURCES/fribidi-CVE-2019-18397.patch new file mode 100644 index 0000000..a734a87 --- /dev/null +++ b/SOURCES/fribidi-CVE-2019-18397.patch @@ -0,0 +1,27 @@ +From 034c6e9a1d296286305f4cfd1e0072b879f52568 Mon Sep 17 00:00:00 2001 +From: Dov Grobgeld +Date: Thu, 24 Oct 2019 09:37:29 +0300 +Subject: [PATCH] Truncate isolate_level to FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL + +--- + lib/fribidi-bidi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/fribidi-bidi.c b/lib/fribidi-bidi.c +index 6c84392..d384878 100644 +--- a/lib/fribidi-bidi.c ++++ b/lib/fribidi-bidi.c +@@ -747,7 +747,9 @@ fribidi_get_par_embedding_levels_ex ( + } + + RL_LEVEL (pp) = level; +- RL_ISOLATE_LEVEL (pp) = isolate_level++; ++ RL_ISOLATE_LEVEL (pp) = isolate_level; ++ if (isolate_level < FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL-1) ++ isolate_level++; + base_level_per_iso_level[isolate_level] = new_level; + + if (!FRIBIDI_IS_NEUTRAL (override)) +-- +2.23.0 + diff --git a/SPECS/fribidi.spec b/SPECS/fribidi.spec index 9a79a4e..b875286 100644 --- a/SPECS/fribidi.spec +++ b/SPECS/fribidi.spec @@ -1,11 +1,12 @@ Summary: Library implementing the Unicode Bidirectional Algorithm Name: fribidi Version: 1.0.2 -Release: 1%{?dist} +Release: 1%{?dist}.1 URL: https://github.com/fribidi/fribidi/ Source: https://github.com//%{name}/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2 License: LGPLv2+ and UCD Group: System Environment/Libraries +Patch1: %{name}-CVE-2019-18397.patch %description A library to handle bidirectional scripts (for example Hebrew, Arabic), @@ -23,6 +24,7 @@ FriBidi. %prep %setup -q +%patch1 -p1 %build %if 0%{?el5} @@ -62,6 +64,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la %{_libdir}/pkgconfig/*.pc %changelog +* Tue Dec 17 2019 Akira TAGOH - 1.0.2-1.1 +- Security fix for CVE-2019-18397 + Resolves: rhbz#1781224 + * Fri May 04 2018 Caolán McNamara - 1.0.2-1 - Resolves: rhbz#1574858 latest version, --disable-docs because there's no c2man