PublicDateAtUSN: 2019-11-07 17:00:00 UTC
Candidate: CVE-2019-18397
CRD: 2019-11-07 17:00:00 UTC
PublicDate: 2019-11-13 14:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18397
 https://ubuntu.com/security/notices/USN-4179-1
Description:
 A buffer overflow in the fribidi_get_par_embedding_levels_ex() function in
 lib/fribidi-bidi.c of GNU FriBidi through 1.0.7 allows an attacker to cause
 a denial of service or possibly execute arbitrary code by delivering
 crafted text content to a user, when this content is then rendered by an
 application that uses FriBidi for text layout calculations. Examples
 include any GNOME or GTK+ based application that uses Pango for text
 layout, as this internally uses FriBidi for bidirectional text layout. For
 example, the attacker can construct a crafted text file to be opened in
 GEdit, or a crafted IRC message to be viewed in HexChat.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by: Alex Murray of the Ubuntu Security Team
Assigned-to: amurray
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [7.8 HIGH]


Patches_fribidi:
 upstream: https://github.com/fribidi/fribidi/commit/034c6e9a1d296286305f4cfd1e0072b879f52568
upstream_fribidi: needs-triage
precise/esm_fribidi: not-affected (0.19.2-1)
trusty_fribidi: ignored (out of standard support)
trusty/esm_fribidi: not-affected (0.19.6-1)
xenial_fribidi: not-affected (0.19.7-1)
esm-infra/xenial_fribidi: not-affected (0.19.7-1)
bionic_fribidi: not-affected (0.19.7-2)
disco_fribidi: released (1.0.5-3.1ubuntu0.19.04.1)
eoan_fribidi: released (1.0.5-3.1ubuntu0.19.10.1)
devel_fribidi: not-affected (1.0.7-1.1)