Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1666
fribidi security update
19 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: fribidi
Publisher: Debian
Operating System: Debian GNU/Linux
Resolution: Patch/Upgrade
CVE Names: CVE-2022-25310 CVE-2022-25309 CVE-2022-25308
Original Bulletin:
https://www.debian.org/lts/security/2022/dla-2974
Comment: CVSS (Max): 7.0 CVE-2022-25308 (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2974-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
April 10, 2022 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------
Package : fribidi
Version : 0.19.7-1+deb9u2
CVE ID : CVE-2022-25308 CVE-2022-25309 CVE-2022-25310
Several issues have been found in fribidi, a free Implementation of the
Unicode BiDi algorithm. The issues are related to stack-buffer-overflow,
heap-buffer-overflow, and a SEGV.
CVE-2022-25308
stack-buffer-overflow issue in main()
CVE-2022-25309
heap-buffer-overflow issue in fribidi_cap_rtl_to_unicode()
CVE-2022-25310
SEGV issue in fribidi_remove_bidi_marks()
For Debian 9 stretch, these problems have been fixed in version
0.19.7-1+deb9u2.
We recommend that you upgrade your fribidi packages.
For the detailed security status of fribidi please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/fribidi
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmJYTGVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEd79Q/8DYl02kz57vsUm7vlBtsvZEZoQSo/jBIMmnqrTjyuDVhbrI5AOuHOi1J1
IwxtcZX5sVGku4a1vBkCKm3mzUKgFQ0v9T0jB20UMDlz+JqaB5+8+US3Vw1tHHSd
/eHfmMzTrQ3aZdDripFhI6Z1rbV/F65TAgNv2NfLXPmhof+rU9+bLX0KfxPlbvyC
sjIYxlois30Pm/TgGZXGSlH58ObjLMySPnw06DkG6UbDFp0kVQcdRJXw/pdzWe7r
pMMJT99L7mz7p+OQcMqMeKqg+YSdoV3Y08h9TwmpEXKShU66KgDyZcC+VdmLU0+W
0qNZr4F269TdaIrZzXTjZM6fUerZvmHikoskt4aj0IFLoSrmf4suEw3LfJ1r4sdZ
2WgsnQ9M6uQRHgNfBN4WucIjRNEs7uY9MwfWU2HBYuTlAEc/nja+Z2Pr9MRDJrRD
oAMc+g/mBS9y6VC0HeHLkksV/8U4Vd//gnYw9MaJ0NyiJi+1cs/wAvzCl+fFS5XT
dK5tJnvE682eeTQuSCBZ9vPoNdHWK2QfZfuh1SkEtag/pmRhzyjurCDYmvSNu2BE
RGNbMVKyIlz59avBXF1VnfY6ePjuoMZcwn0T2V3uIxjcGlcmbUUZ+RUvBZRh6uQp
mT3lx+7f/3JU5DgCAUddNekhuYeb0qNvWCH5vgGVSxtMEQhqHNw=
=x/SH
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYl4qLuNLKJtyKPYoAQgXzw/+OPq+QJCY83QuUY/6yqbYqE2Ohk/t5ni8
tew84Fnen0vkk8XcRsjBl5hmnRauMFHCLJuBUXAlEmk3EQ0RRN5RW6rYjAwPGhH1
+7Yw5x+HGA0IbVIVaO1HTd02NvBY8Zw3AGEmyOqRR/8+BbEvCUOi03zCMbjc6r81
qAM05KafqPN4Ds3Ufe6MDRH3YkAO7XAgd3WNq3gJOtmNlK0ohWBZnhvx5RJ6Q767
XeFMkCHWcZqph3vrzRoRh+j/ztqISfMOI7AT3DCbS/eq9AbttgJi4+d+jpINQqIN
PU4K566/1iUSHDrNAxvOqM3Owc354Noyzaxwr2BooT8RE4LcCUbHtij1AtOlGsUc
V/9kLMpWrPicipewlYsz4YisGR9bd2Y4P7M4E4hN6kAzzn9DHo+7cQBi4KE3aPDe
wlw/yG4Ll0HxXTfMuqs8ExMDElA+8eqYyrP7svwFmCmNbSmShpuoktk+fd+w9eyS
15ST4GQJGxpkrzGPY8ZzIR9NfKvfB1g+eHao02GgwzYcUSnKphUQQ8cgWKq1sPDv
D42jsWPnW5/W/kXBcMjlcufeoPPSE/0oCv3WjW5UmT+BIxVUBvJ5Lexvbh5jyYM9
hfVzkKFChMg/3Y5tV1W784fKIT94ITK0BoMybaP82UCFAiNIERfCOwMP0ZZrUC3o
KVlKMG+RfoM=
=f0tz
-----END PGP SIGNATURE-----