[OE-core] [meta][dunfell][PATCH] fribidi: Add fix for CVE-2022-25308, CVE-2022-25309 and CVE-2022-25310
From: Pawan Badganchi
Add below patches to fix CVE-2022-25308, CVE-2022-25309 and CVE-2022-25310
CVE-2022-25308.patch
Link:
https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1
CVE-2022-25309.patch
Link:
https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3
CVE-2022-25310.patch
Link:https://github.com/fribidi/fribidi/commit/175850b03e1af251d705c1d04b2b9b3c1c06e48f
Signed-off-by: Pawan Badganchi
---
.../fribidi/fribidi/CVE-2022-25308.patch | 50 +++
.../fribidi/fribidi/CVE-2022-25309.patch | 31
.../fribidi/fribidi/CVE-2022-25310.patch | 30 +++
meta/recipes-support/fribidi/fribidi_1.0.9.bb | 3 ++
4 files changed, 114 insertions(+)
create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch
create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch
create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch
diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch
b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch
new file mode 100644
index 00..8f2c2ade0e
--- /dev/null
+++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch
@@ -0,0 +1,50 @@
+From ad3a19e6372b1e667128ed1ea2f49919884587e1 Mon Sep 17 00:00:00 2001
+From: Akira TAGOH
+Date: Thu, 17 Feb 2022 17:30:12 +0900
+Subject: [PATCH] Fix the stack buffer overflow issue
+
+strlen() could returns 0. Without a conditional check for len,
+accessing S_ pointer with len - 1 may causes a stack buffer overflow.
+
+AddressSanitizer reports this like:
+==1219243==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffdce043c1f at pc 0x00403547 bp 0x7ffdce0
+43b30 sp 0x7ffdce043b28
+READ of size 1 at 0x7ffdce043c1f thread T0
+#0 0x403546 in main ../bin/fribidi-main.c:393
+#1 0x7f226804e58f in __libc_start_call_main (/lib64/libc.so.6+0x2d58f)
+#2 0x7f226804e648 in __libc_start_main_impl (/lib64/libc.so.6+0x2d648)
+#3 0x4036f4 in _start (/tmp/fribidi/build/bin/fribidi+0x4036f4)
+
+Address 0x7ffdce043c1f is located in stack of thread T0 at offset 63 in frame
+#0 0x4022bf in main ../bin/fribidi-main.c:193
+
+ This frame has 5 object(s):
+[32, 36) 'option_index' (line 233)
+[48, 52) 'base' (line 386)
+[64, 65064) 'S_' (line 375) <== Memory access at offset 63 underflows this
variable
+[65328, 130328) 'outstring' (line 385)
+[130592, 390592) 'logical' (line 384)
+
+This fixes https://github.com/fribidi/fribidi/issues/181
+
+CVE: CVE-2022-25308
+Upstream-Status: Backport
[https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1]
+Signed-off-by: Pawan Badganchi
+
+---
+ bin/fribidi-main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bin/fribidi-main.c b/bin/fribidi-main.c
+index 3cf9fe1..3ae4fb6 100644
+--- a/bin/fribidi-main.c
b/bin/fribidi-main.c
+@@ -390,7 +390,7 @@ FRIBIDI_END_IGNORE_DEPRECATIONS
+ S_[sizeof (S_) - 1] = 0;
+ len = strlen (S_);
+ /* chop */
+- if (S_[len - 1] == '\n')
++ if (len > 0 && S_[len - 1] == '\n')
+ {
+ len--;
+ S_[len] = '\0';
diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch
b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch
new file mode 100644
index 00..0efba3d05c
--- /dev/null
+++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch
@@ -0,0 +1,31 @@
+From f22593b82b5d1668d1997dbccd10a9c31ffea3b3 Mon Sep 17 00:00:00 2001
+From: Dov Grobgeld
+Date: Fri, 25 Mar 2022 09:09:49 +0300
+Subject: [PATCH] Protected against garbage in the CapRTL encoder
+
+CVE: CVE-2022-25309
+Upstream-Status: Backport
[https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3]
+Signed-off-by: Pawan Badganchi
+
+---
+ lib/fribidi-char-sets-cap-rtl.c | 7 ++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/lib/fribidi-char-sets-cap-rtl.c b/lib/fribidi-char-sets-cap-rtl.c
+index b0c0e4a..f74e010 100644
+--- a/lib/fribidi-char-sets-cap-rtl.c
b/lib/fribidi-char-sets-cap-rtl.c
+@@ -232,7 +232,12 @@ fribidi_cap_rtl_to_unicode (
+ }
+ }
+ else
+- us[j++] = caprtl_to_unicode[(int) s[i]];
++ {
++if ((int)s[i] < 0)
++ us[j++] = '?';
++else
++ us[j++] = caprtl_to_unicode[(int) s[i]];
++ }
+ }
+
+ return j;
diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch
b/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch
new file mode 100644
index 00..d79a82d648
--- /dev/null
+++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch
@@ -0,0 +1,30 @@
+From 175850b03e1af251d705c1d04b2b9b3c1c06e48f Mon Sep 17 00:00:00 2001
+From: Akira TAGOH
+Date: Thu, 17 Feb 2022 19:06:10 +0900
+Subject: [PATCH] Fix SEGV issue in fribidi_remove_bidi_marks
+
+Escape from
Re: [OE-core] [meta][dunfell][PATCH] fribidi: Add fix for CVE-2022-25308, CVE-2022-25309 and CVE-2022-25310
You can simplify your subject to: [OE-core][dunfell] fribidi: Add fix
for CVE-2022-25308, CVE-2022-25309 and CVE-2022-25310
Sadly the patch in the recipe does not apply. Have you done a test build?
ERROR: fribidi-1.0.9-r0 do_patch: Applying patch
'CVE-2022-25308.patch' on target directory
'/home/steve/builds/poky-contrib-dunfell/build/tmp/work/core2-64-poky-linux/fribidi/1.0.9-r0/fribidi-1.0.9'
Command Error: 'quilt --quiltrc
/home/steve/builds/poky-contrib-dunfell/build/tmp/work/core2-64-poky-linux/fribidi/1.0.9-r0/recipe-sysroot-native/etc/quiltrc
push' exited with 0 Output:
Applying patch CVE-2022-25308.patch
patching file bin/fribidi-main.c
Hunk #1 FAILED at 390.
1 out of 1 hunk FAILED -- rejects in file bin/fribidi-main.c
Patch CVE-2022-25308.patch does not apply (enforce with -f)
Steve
On Thu, May 5, 2022 at 10:08 PM Pawan via lists.openembedded.org
wrote:
>
> From: Pawan Badganchi
>
> Add below patches to fix CVE-2022-25308, CVE-2022-25309 and CVE-2022-25310
>
> CVE-2022-25308.patch
> Link:
> https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1
>
> CVE-2022-25309.patch
> Link:
> https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3
>
> CVE-2022-25310.patch
> Link:https://github.com/fribidi/fribidi/commit/175850b03e1af251d705c1d04b2b9b3c1c06e48f
>
> Signed-off-by: pawan badganchi
> ---
> .../fribidi/fribidi/CVE-2022-25308.patch | 50 +++
> .../fribidi/fribidi/CVE-2022-25309.patch | 31
> .../fribidi/fribidi/CVE-2022-25310.patch | 30 +++
> meta/recipes-support/fribidi/fribidi_1.0.9.bb | 3 ++
> 4 files changed, 114 insertions(+)
> create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch
> create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch
> create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch
>
> diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch
> b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch
> new file mode 100644
> index 00..8f2c2ade0e
> --- /dev/null
> +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch
> @@ -0,0 +1,50 @@
> +From ad3a19e6372b1e667128ed1ea2f49919884587e1 Mon Sep 17 00:00:00 2001
> +From: Akira TAGOH
> +Date: Thu, 17 Feb 2022 17:30:12 +0900
> +Subject: [PATCH] Fix the stack buffer overflow issue
> +
> +strlen() could returns 0. Without a conditional check for len,
> +accessing S_ pointer with len - 1 may causes a stack buffer overflow.
> +
> +AddressSanitizer reports this like:
> +==1219243==ERROR: AddressSanitizer: stack-buffer-overflow on address
> 0x7ffdce043c1f at pc 0x00403547 bp 0x7ffdce0
> +43b30 sp 0x7ffdce043b28
> +READ of size 1 at 0x7ffdce043c1f thread T0
> +#0 0x403546 in main ../bin/fribidi-main.c:393
> +#1 0x7f226804e58f in __libc_start_call_main (/lib64/libc.so.6+0x2d58f)
> +#2 0x7f226804e648 in __libc_start_main_impl (/lib64/libc.so.6+0x2d648)
> +#3 0x4036f4 in _start (/tmp/fribidi/build/bin/fribidi+0x4036f4)
> +
> +Address 0x7ffdce043c1f is located in stack of thread T0 at offset 63 in frame
> +#0 0x4022bf in main ../bin/fribidi-main.c:193
> +
> + This frame has 5 object(s):
> +[32, 36) 'option_index' (line 233)
> +[48, 52) 'base' (line 386)
> +[64, 65064) 'S_' (line 375) <== Memory access at offset 63 underflows
> this variable
> +[65328, 130328) 'outstring' (line 385)
> +[130592, 390592) 'logical' (line 384)
> +
> +This fixes https://github.com/fribidi/fribidi/issues/181
> +
> +CVE: CVE-2022-25308
> +Upstream-Status: Backport
> [https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1]
> +Signed-off-by: Pawan Badganchi
> +
> +---
> + bin/fribidi-main.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/bin/fribidi-main.c b/bin/fribidi-main.c
> +index 3cf9fe1..3ae4fb6 100644
> +--- a/bin/fribidi-main.c
> b/bin/fribidi-main.c
> +@@ -390,7 +390,7 @@ FRIBIDI_END_IGNORE_DEPRECATIONS
> + S_[sizeof (S_) - 1] = 0;
> + len = strlen (S_);
> + /* chop */
> +- if (S_[len - 1] == '\n')
> ++ if (len > 0 && S_[len - 1] == '\n')
> + {
> + len--;
> + S_[len] = '\0';
> diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch
> b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch
> new file mode 100644
> index 00..0efba3d05c
> --- /dev/null
> +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch
> @@ -0,0 +1,31 @@
> +From f22593b82b5d1668d1997dbccd10a9c31ffea3b3 Mon Sep 17 00:00:00 2001
> +From: Dov Grobgeld
> +Date: Fri, 25 Mar 2022 09:09:49 +0300
> +Subject: [PATCH] Protected against garbage in the CapRTL encoder
> +
> +CVE: CVE-2022-25309
> +Upstream-Status: Backport
> [https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3]
> +Signed-off-by: Pawan Badganchi
> +
> +---
[OE-core] [meta][dunfell][PATCH] fribidi: Add fix for CVE-2022-25308, CVE-2022-25309 and CVE-2022-25310
From: Pawan Badganchi
Add below patches to fix CVE-2022-25308, CVE-2022-25309 and CVE-2022-25310
CVE-2022-25308.patch
Link:
https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1
CVE-2022-25309.patch
Link:
https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3
CVE-2022-25310.patch
Link:https://github.com/fribidi/fribidi/commit/175850b03e1af251d705c1d04b2b9b3c1c06e48f
Signed-off-by: pawan badganchi
---
.../fribidi/fribidi/CVE-2022-25308.patch | 50 +++
.../fribidi/fribidi/CVE-2022-25309.patch | 31
.../fribidi/fribidi/CVE-2022-25310.patch | 30 +++
meta/recipes-support/fribidi/fribidi_1.0.9.bb | 3 ++
4 files changed, 114 insertions(+)
create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch
create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch
create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch
diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch
b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch
new file mode 100644
index 00..8f2c2ade0e
--- /dev/null
+++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch
@@ -0,0 +1,50 @@
+From ad3a19e6372b1e667128ed1ea2f49919884587e1 Mon Sep 17 00:00:00 2001
+From: Akira TAGOH
+Date: Thu, 17 Feb 2022 17:30:12 +0900
+Subject: [PATCH] Fix the stack buffer overflow issue
+
+strlen() could returns 0. Without a conditional check for len,
+accessing S_ pointer with len - 1 may causes a stack buffer overflow.
+
+AddressSanitizer reports this like:
+==1219243==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffdce043c1f at pc 0x00403547 bp 0x7ffdce0
+43b30 sp 0x7ffdce043b28
+READ of size 1 at 0x7ffdce043c1f thread T0
+#0 0x403546 in main ../bin/fribidi-main.c:393
+#1 0x7f226804e58f in __libc_start_call_main (/lib64/libc.so.6+0x2d58f)
+#2 0x7f226804e648 in __libc_start_main_impl (/lib64/libc.so.6+0x2d648)
+#3 0x4036f4 in _start (/tmp/fribidi/build/bin/fribidi+0x4036f4)
+
+Address 0x7ffdce043c1f is located in stack of thread T0 at offset 63 in frame
+#0 0x4022bf in main ../bin/fribidi-main.c:193
+
+ This frame has 5 object(s):
+[32, 36) 'option_index' (line 233)
+[48, 52) 'base' (line 386)
+[64, 65064) 'S_' (line 375) <== Memory access at offset 63 underflows this
variable
+[65328, 130328) 'outstring' (line 385)
+[130592, 390592) 'logical' (line 384)
+
+This fixes https://github.com/fribidi/fribidi/issues/181
+
+CVE: CVE-2022-25308
+Upstream-Status: Backport
[https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1]
+Signed-off-by: Pawan Badganchi
+
+---
+ bin/fribidi-main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bin/fribidi-main.c b/bin/fribidi-main.c
+index 3cf9fe1..3ae4fb6 100644
+--- a/bin/fribidi-main.c
b/bin/fribidi-main.c
+@@ -390,7 +390,7 @@ FRIBIDI_END_IGNORE_DEPRECATIONS
+ S_[sizeof (S_) - 1] = 0;
+ len = strlen (S_);
+ /* chop */
+- if (S_[len - 1] == '\n')
++ if (len > 0 && S_[len - 1] == '\n')
+ {
+ len--;
+ S_[len] = '\0';
diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch
b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch
new file mode 100644
index 00..0efba3d05c
--- /dev/null
+++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch
@@ -0,0 +1,31 @@
+From f22593b82b5d1668d1997dbccd10a9c31ffea3b3 Mon Sep 17 00:00:00 2001
+From: Dov Grobgeld
+Date: Fri, 25 Mar 2022 09:09:49 +0300
+Subject: [PATCH] Protected against garbage in the CapRTL encoder
+
+CVE: CVE-2022-25309
+Upstream-Status: Backport
[https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3]
+Signed-off-by: Pawan Badganchi
+
+---
+ lib/fribidi-char-sets-cap-rtl.c | 7 ++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/lib/fribidi-char-sets-cap-rtl.c b/lib/fribidi-char-sets-cap-rtl.c
+index b0c0e4a..f74e010 100644
+--- a/lib/fribidi-char-sets-cap-rtl.c
b/lib/fribidi-char-sets-cap-rtl.c
+@@ -232,7 +232,12 @@ fribidi_cap_rtl_to_unicode (
+ }
+ }
+ else
+- us[j++] = caprtl_to_unicode[(int) s[i]];
++ {
++if ((int)s[i] < 0)
++ us[j++] = '?';
++else
++ us[j++] = caprtl_to_unicode[(int) s[i]];
++ }
+ }
+
+ return j;
diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch
b/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch
new file mode 100644
index 00..d79a82d648
--- /dev/null
+++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch
@@ -0,0 +1,30 @@
+From 175850b03e1af251d705c1d04b2b9b3c1c06e48f Mon Sep 17 00:00:00 2001
+From: Akira TAGOH
+Date: Thu, 17 Feb 2022 19:06:10 +0900
+Subject: [PATCH] Fix SEGV issue in fribidi_remove_bidi_marks
+
+Escape from
