diff --git a/CVE-2019-18397.patch b/CVE-2019-18397.patch new file mode 100644 index 0000000000000000000000000000000000000000..157eb18211a4de64f889e7bcd2c1d3dd5a540744 --- /dev/null +++ b/CVE-2019-18397.patch @@ -0,0 +1,25 @@ +From 034c6e9a1d296286305f4cfd1e0072b879f52568 Mon Sep 17 00:00:00 2001 +From: Dov Grobgeld +Date: Thu, 24 Oct 2019 09:37:29 +0300 +Subject: [PATCH] Truncate isolate_level to FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL + +--- + lib/fribidi-bidi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/fribidi-bidi.c b/lib/fribidi-bidi.c +index 6c84392..d384878 100644 +--- a/lib/fribidi-bidi.c ++++ b/lib/fribidi-bidi.c +@@ -747,7 +747,9 @@ fribidi_get_par_embedding_levels_ex ( + } + + RL_LEVEL (pp) = level; +- RL_ISOLATE_LEVEL (pp) = isolate_level++; ++ RL_ISOLATE_LEVEL (pp) = isolate_level; ++ if (isolate_level < FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL-1) ++ isolate_level++; + base_level_per_iso_level[isolate_level] = new_level; + + if (!FRIBIDI_IS_NEUTRAL (override)) + diff --git a/fribidi.spec b/fribidi.spec index 72ff2694fa2c30fe010cb421498c03b2e82974ca..cbb57ef7586f7908f184a8fd420326aba1a77b76 100644 --- a/fribidi.spec +++ b/fribidi.spec @@ -1,12 +1,13 @@ Name: fribidi Version: 1.0.5 -Release: 3 +Release: 4 Summary: Library implementing the Unicode Bidirectional Algorithm License: LGPLv2+ and UCD URL: https://github.com/fribidi/fribidi/ Source: https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2 BuildRequires: gcc automake autoconf libtool +Patch6000: CVE-2019-18397.patch %description A library to handle bidirectional scripts (for example Hebrew, Arabic), @@ -53,6 +54,9 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la %{_mandir}/man3/*.gz %changelog +* Sun Jan 12 2020 zhangrui - 1.0.5-4 +- fix CVE-2019-18397 + * Fri Jan 10 2020 zhangrui - 1.0.5-3 - Remove unnecessary patch