Lucene search

AmazonALAS2-2020-1434

HistoryJun 03, 2020 - 6:24 p.m.

Important: fribidi

2020-06-0318:24:00

alas.aws.amazon.com

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.4

Confidence

High

EPSS

0.002

Percentile

58.9%

JSON

Issue Overview:

A buffer overflow in the fribidi_get_par_embedding_levels_ex() function in lib/fribidi-bidi.c of GNU FriBidi through 1.0.7 allows an attacker to cause a denial of service or possibly execute arbitrary code by delivering crafted text content to a user, when this content is then rendered by an application that uses FriBidi for text layout calculations. Examples include any GNOME or GTK+ based application that uses Pango for text layout, as this internally uses FriBidi for bidirectional text layout. For example, the attacker can construct a crafted text file to be opened in GEdit, or a crafted IRC message to be viewed in HexChat. (CVE-2019-18397)

Affected Packages:

fribidi

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update fribidi to update your system.

New Packages:

aarch64:  
    fribidi-1.0.2-1.amzn2.1.aarch64  
    fribidi-devel-1.0.2-1.amzn2.1.aarch64  
    fribidi-debuginfo-1.0.2-1.amzn2.1.aarch64  
  
i686:  
    fribidi-1.0.2-1.amzn2.1.i686  
    fribidi-devel-1.0.2-1.amzn2.1.i686  
    fribidi-debuginfo-1.0.2-1.amzn2.1.i686  
  
src:  
    fribidi-1.0.2-1.amzn2.1.src  
  
x86_64:  
    fribidi-1.0.2-1.amzn2.1.x86_64  
    fribidi-devel-1.0.2-1.amzn2.1.x86_64  
    fribidi-debuginfo-1.0.2-1.amzn2.1.x86_64

Additional References

Red Hat: CVE-2019-18397

Mitre: CVE-2019-18397

OSVersionArchitecturePackageVersionFilename
Amazon Linux2aarch64fribidi< 1.0.2-1.amzn2.1fribidi-1.0.2-1.amzn2.1.aarch64.rpm
Amazon Linux2aarch64fribidi-devel< 1.0.2-1.amzn2.1fribidi-devel-1.0.2-1.amzn2.1.aarch64.rpm
Amazon Linux2aarch64fribidi-debuginfo< 1.0.2-1.amzn2.1fribidi-debuginfo-1.0.2-1.amzn2.1.aarch64.rpm
Amazon Linux2i686fribidi< 1.0.2-1.amzn2.1fribidi-1.0.2-1.amzn2.1.i686.rpm
Amazon Linux2i686fribidi-devel< 1.0.2-1.amzn2.1fribidi-devel-1.0.2-1.amzn2.1.i686.rpm
Amazon Linux2i686fribidi-debuginfo< 1.0.2-1.amzn2.1fribidi-debuginfo-1.0.2-1.amzn2.1.i686.rpm
Amazon Linux2x86_64fribidi< 1.0.2-1.amzn2.1fribidi-1.0.2-1.amzn2.1.x86_64.rpm
Amazon Linux2x86_64fribidi-devel< 1.0.2-1.amzn2.1fribidi-devel-1.0.2-1.amzn2.1.x86_64.rpm
Amazon Linux2x86_64fribidi-debuginfo< 1.0.2-1.amzn2.1fribidi-debuginfo-1.0.2-1.amzn2.1.x86_64.rpm

OS	Version	Architecture	Package	Version	Filename
Amazon Linux	2	aarch64	fribidi	< 1.0.2-1.amzn2.1	fribidi-1.0.2-1.amzn2.1.aarch64.rpm
Amazon Linux	2	aarch64	fribidi-devel	< 1.0.2-1.amzn2.1	fribidi-devel-1.0.2-1.amzn2.1.aarch64.rpm
Amazon Linux	2	aarch64	fribidi-debuginfo	< 1.0.2-1.amzn2.1	fribidi-debuginfo-1.0.2-1.amzn2.1.aarch64.rpm
Amazon Linux	2	i686	fribidi	< 1.0.2-1.amzn2.1	fribidi-1.0.2-1.amzn2.1.i686.rpm
Amazon Linux	2	i686	fribidi-devel	< 1.0.2-1.amzn2.1	fribidi-devel-1.0.2-1.amzn2.1.i686.rpm
Amazon Linux	2	i686	fribidi-debuginfo	< 1.0.2-1.amzn2.1	fribidi-debuginfo-1.0.2-1.amzn2.1.i686.rpm
Amazon Linux	2	x86_64	fribidi	< 1.0.2-1.amzn2.1	fribidi-1.0.2-1.amzn2.1.x86_64.rpm
Amazon Linux	2	x86_64	fribidi-devel	< 1.0.2-1.amzn2.1	fribidi-devel-1.0.2-1.amzn2.1.x86_64.rpm
Amazon Linux	2	x86_64	fribidi-debuginfo	< 1.0.2-1.amzn2.1	fribidi-debuginfo-1.0.2-1.amzn2.1.x86_64.rpm