gnu: fribidi: Fix CVE-2019-18397.

* gnu/packages/fribidi.scm (fribidi): Replace with fribidi/fixed.
(fribidi/fixed): New variable.
* gnu/packages/patches/fribidi-CVE-2019-18397.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
This commit is contained in:
Efraim Flashner 2019-11-09 21:03:19 +02:00
parent c6be161dbd
commit b8f0a3fdc8
No known key found for this signature in database
GPG key ID: 41AAE7DCCA3D8351
3 changed files with 38 additions and 2 deletions

View file

@ -838,6 +838,7 @@ dist_patch_DATA = \
%D%/packages/patches/flint-ldconfig.patch \ %D%/packages/patches/flint-ldconfig.patch \
%D%/packages/patches/foomatic-filters-CVE-2015-8327.patch \ %D%/packages/patches/foomatic-filters-CVE-2015-8327.patch \
%D%/packages/patches/foomatic-filters-CVE-2015-8560.patch \ %D%/packages/patches/foomatic-filters-CVE-2015-8560.patch \
%D%/packages/patches/fribidi-CVE-2019-18397.patch \
%D%/packages/patches/freeimage-unbundle.patch \ %D%/packages/patches/freeimage-unbundle.patch \
%D%/packages/patches/fuse-overlapping-headers.patch \ %D%/packages/patches/fuse-overlapping-headers.patch \
%D%/packages/patches/gawk-shell.patch \ %D%/packages/patches/gawk-shell.patch \

View file

@ -1,6 +1,6 @@
;;; GNU Guix --- Functional package management for GNU ;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2014 Marek Benc <merkur32@gmail.com> ;;; Copyright © 2014 Marek Benc <merkur32@gmail.com>
;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2016, 2019 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr> ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
;;; ;;;
;;; This file is part of GNU Guix. ;;; This file is part of GNU Guix.
@ -22,10 +22,12 @@ (define-module (gnu packages fribidi)
#:use-module (guix packages) #:use-module (guix packages)
#:use-module (guix download) #:use-module (guix download)
#:use-module (guix build-system gnu) #:use-module (guix build-system gnu)
#:use-module (guix licenses)) #:use-module (guix licenses)
#:use-module (gnu packages))
(define-public fribidi (define-public fribidi
(package (package
(replacement fribidi/fixed)
(name "fribidi") (name "fribidi")
(version "1.0.5") (version "1.0.5")
(source (source
@ -45,3 +47,10 @@ (define-public fribidi
or right-to-left ordering as necessary.") or right-to-left ordering as necessary.")
(home-page "https://github.com/fribidi/fribidi") (home-page "https://github.com/fribidi/fribidi")
(license lgpl2.1+))) (license lgpl2.1+)))
(define fribidi/fixed
(package
(inherit fribidi)
(source
(origin (inherit (package-source fribidi))
(patches (search-patches "fribidi-CVE-2019-18397.patch"))))))

View file

@ -0,0 +1,26 @@
https://github.com/fribidi/fribidi/commit/034c6e9a1d296286305f4cfd1e0072b879f52568.patch
From 034c6e9a1d296286305f4cfd1e0072b879f52568 Mon Sep 17 00:00:00 2001
From: Dov Grobgeld <dov.grobgeld@gmail.com>
Date: Thu, 24 Oct 2019 09:37:29 +0300
Subject: [PATCH] Truncate isolate_level to FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL
---
lib/fribidi-bidi.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/lib/fribidi-bidi.c b/lib/fribidi-bidi.c
index 6c84392..d384878 100644
--- a/lib/fribidi-bidi.c
+++ b/lib/fribidi-bidi.c
@@ -747,7 +747,9 @@ fribidi_get_par_embedding_levels_ex (
}
RL_LEVEL (pp) = level;
- RL_ISOLATE_LEVEL (pp) = isolate_level++;
+ RL_ISOLATE_LEVEL (pp) = isolate_level;
+ if (isolate_level < FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL-1)
+ isolate_level++;
base_level_per_iso_level[isolate_level] = new_level;
if (!FRIBIDI_IS_NEUTRAL (override))