[Buildroot] [git commit branch/2022.02.x] package/libfribidi: security bump to version 1.0.12

Peter Korsgaard peter at korsgaard.com
Tue Nov 8 13:04:20 UTC 2022 

commit: https://git.buildroot.net/buildroot/commit/?id=1529c26f60c9edc45447a6852daac26c17736c25
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2022.02.x

Fixes the following security issues:

- CVE-2022-25308: A stack-based buffer overflow flaw was found in the
  Fribidi package.  This flaw allows an attacker to pass a specially crafted
  file to the Fribidi application, which leads to a possible memory leak or
  a denial of service.

- CVE-2022-25309: A heap-based buffer overflow flaw was found in the Fribidi
  package and affects the fribidi_cap_rtl_to_unicode() function of the
  fribidi-char-sets-cap-rtl.c file.  This flaw allows an attacker to pass a
  specially crafted file to the Fribidi application with the '--caprtl'
  option, leading to a crash and causing a denial of service

- CVE-2022-25310: A segmentation fault (SEGV) flaw was found in the Fribidi
  package and affects the fribidi_remove_bidi_marks() function of the
  lib/fribidi.c file.  This flaw allows an attacker to pass a specially
  crafted file to Fribidi, leading to a crash and causing a denial of
  service.

Signed-off-by: Francois Perrad <francois.perrad at gadz.org>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout at mind.be>
(cherry picked from commit 0f42b67077a8f620f66c654c92518cf53efb9a92)
[Peter: mark as security bump]
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
---
 package/libfribidi/libfribidi.hash | 2 +-
 package/libfribidi/libfribidi.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/libfribidi/libfribidi.hash b/package/libfribidi/libfribidi.hash
index da25b2d24d..7e5df98112 100644
--- a/package/libfribidi/libfribidi.hash
+++ b/package/libfribidi/libfribidi.hash
@@ -1,3 +1,3 @@
 # Locally computed
-sha256  30f93e9c63ee627d1a2cedcf59ac34d45bf30240982f99e44c6e015466b4e73d  fribidi-1.0.11.tar.xz
+sha256  0cd233f97fc8c67bb3ac27ce8440def5d3ffacf516765b91c2cc654498293495  fribidi-1.0.12.tar.xz
 sha256  32434afcc8666ba060e111d715bfdb6c2d5dd8a35fa4d3ab8ad67d8f850d2f2b  COPYING
diff --git a/package/libfribidi/libfribidi.mk b/package/libfribidi/libfribidi.mk
index adbd786db1..ec86f468a4 100644
--- a/package/libfribidi/libfribidi.mk
+++ b/package/libfribidi/libfribidi.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBFRIBIDI_VERSION = 1.0.11
+LIBFRIBIDI_VERSION = 1.0.12
 LIBFRIBIDI_SOURCE = fribidi-$(LIBFRIBIDI_VERSION).tar.xz
 LIBFRIBIDI_SITE = https://github.com/fribidi/fribidi/releases/download/v$(LIBFRIBIDI_VERSION)
 LIBFRIBIDI_LICENSE = LGPL-2.1+

More information about the buildroot mailing list