CVE-2019-18397

Name	CVE-2019-18397
Description	A buffer overflow in the fribidi_get_par_embedding_levels_ex() function in lib/fribidi-bidi.c of GNU FriBidi through 1.0.7 allows an attacker to cause a denial of service or possibly execute arbitrary code by delivering crafted text content to a user, when this content is then rendered by an application that uses FriBidi for text layout calculations. Examples include any GNOME or GTK+ based application that uses Pango for text layout, as this internally uses FriBidi for bidirectional text layout. For example, the attacker can construct a crafted text file to be opened in GEdit, or a crafted IRC message to be viewed in HexChat.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-4561-1
Debian Bugs	944327

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
fribidi (PTS)	buster	1.0.5-3.1+deb10u2	fixed
	buster (security)	1.0.5-3.1+deb10u1	fixed
	bullseye	1.0.8-2+deb11u1	fixed
	bookworm	1.0.8-2.1	fixed
	sid, trixie	1.0.13-3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
fribidi	source	jessie	(not affected)
fribidi	source	stretch	(not affected)
fribidi	source	buster	1.0.5-3.1+deb10u1	DSA-4561-1
fribidi	source	(unstable)	1.0.7-1.1		944327

Notes

[stretch] - fribidi <not-affected> (Vulnerable code not present)
[jessie] - fribidi <not-affected> (Vulnerable code not present)
Fixed by: https://github.com/fribidi/fribidi/commit/034c6e9a1d296286305f4cfd1e0072b879f52568
Introduced by: https://github.com/fribidi/fribidi/commit/f20b6480b9cd46dae8d82a6f95d9c53558fcfd20 (v1.0.0)