Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2019-18397 - Stack buffer overflow in GNU FriBidi >= 1.0.0

Related Vulnerabilities: CVE-2019-18397  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
CVE-2019-18397 - Stack buffer overflow in GNU FriBidi &gt;= 1.0.0

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Alex Murray &lt;alex.murray () canonical com&gt;

Date: Fri, 08 Nov 2019 23:23:35 +1030

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
CVE-2019-18397 - GNU FriBidi stack buffer overflow &gt;= 1.0.0
-----------------------------------------------------------

Overview:
 A stack buffer overflow in the fribidi_get_par_embedding_levels_ex()
 function in lib/fribidi-bidi.c of GNU FriBidi 1.0.0 through 1.0.7
 allows an attacker to cause a denial of service or possibly execute
 arbitrary code by delivering crafted text content to a user, when this
 content is then rendered by an application that uses FriBidi for text
 layout calculations. Examples include any GNOME or GTK+ based
 application that uses Pango for text rendering, as this internally uses
 FriBidi for bidirectional text layout. For example, the attacker can
 construct a crafted text file to be opened in GEdit, a crafted IRC
 message to be viewed in HexChat or a crafted email to be viewed in
 Evolution.

Detailed analysis:
 The function fribidi_get_par_embedding_levels_ex()
 in lib/fribidi-bidi.c of GNU FriBidi 1.0.0 through 1.0.7 contains a
 fixed size buffer base_level_per_iso_level which is used to accumulate
 the current isolate level while calculating the bi-directional
 embedding levels of the requested text paragraph.

 ...
 FriBidiLevel base_level_per_iso_level[FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL];
 ...

 When accumulating into this buffer, the index is incremented without
 any check for overflow of the buffer length, resulting in a stack
 buffer overflow when processing more then
 FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL elements.

 ...
          RL_ISOLATE_LEVEL (pp) = isolate_level++;
          base_level_per_iso_level[isolate_level] = new_level;
 ...

 This is fixed by checking the current value of isolate_level against
 the size of base_level_per_iso_level
 (ie. FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL) to ensure this is only
 incremented when it will not subsequently overflow the bounds of the
 array.

Affected Versions:
 From 1.0.0 to 1.0.7 (no official upstream release has been made
 containing the fix)

References:
 https://github.com/fribidi/fribidi/commit/034c6e9a1d296286305f4cfd1e0072b879f52568

CRD:
 2019-11-07 17:00 UTC

Credit:
 Alex Murray of the Ubuntu Security Team

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

CVE-2019-18397 - Stack buffer overflow in GNU FriBidi &gt;= 1.0.0 Alex Murray (Nov 08)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started