Control: tags 944327 + patch Control: tags 944327 + pending Dear maintainer(s),
I've prepared an NMU for fribidi (versioned as 1.0.7-1.1) and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer. A merge request is as well created at https://salsa.debian.org/debian/fribidi/merge_requests/2 . Regards, Salvatore
diff -Nru fribidi-1.0.7/debian/changelog fribidi-1.0.7/debian/changelog --- fribidi-1.0.7/debian/changelog 2019-10-03 06:03:43.000000000 +0200 +++ fribidi-1.0.7/debian/changelog 2019-11-08 13:36:50.000000000 +0100 @@ -1,3 +1,11 @@ +fribidi (1.0.7-1.1) unstable; urgency=high + + * Non-maintainer upload. + * Truncate isolate_level to FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL (CVE-2019-18397) + (Closes: #944327) + + -- Salvatore Bonaccorso <car...@debian.org> Fri, 08 Nov 2019 13:36:50 +0100 + fribidi (1.0.7-1) unstable; urgency=medium * Imported Upstream version 1.0.7 diff -Nru fribidi-1.0.7/debian/patches/Truncate-isolate_level-to-FRIBIDI_BIDI_MAX_EXPLICIT_.diff fribidi-1.0.7/debian/patches/Truncate-isolate_level-to-FRIBIDI_BIDI_MAX_EXPLICIT_.diff --- fribidi-1.0.7/debian/patches/Truncate-isolate_level-to-FRIBIDI_BIDI_MAX_EXPLICIT_.diff 1970-01-01 01:00:00.000000000 +0100 +++ fribidi-1.0.7/debian/patches/Truncate-isolate_level-to-FRIBIDI_BIDI_MAX_EXPLICIT_.diff 2019-11-08 13:36:50.000000000 +0100 @@ -0,0 +1,29 @@ +From: Dov Grobgeld <dov.grobg...@gmail.com> +Date: Thu, 24 Oct 2019 09:37:29 +0300 +Subject: Truncate isolate_level to FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL +Origin: https://github.com/fribidi/fribidi/commit/034c6e9a1d296286305f4cfd1e0072b879f52568 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-18397 +Bug-Debian: https://bugs.debian.org/944327 + +--- + lib/fribidi-bidi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/fribidi-bidi.c b/lib/fribidi-bidi.c +index 6c843922685c..d38487852fe7 100644 +--- a/lib/fribidi-bidi.c ++++ b/lib/fribidi-bidi.c +@@ -747,7 +747,9 @@ fribidi_get_par_embedding_levels_ex ( + } + + RL_LEVEL (pp) = level; +- RL_ISOLATE_LEVEL (pp) = isolate_level++; ++ RL_ISOLATE_LEVEL (pp) = isolate_level; ++ if (isolate_level < FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL-1) ++ isolate_level++; + base_level_per_iso_level[isolate_level] = new_level; + + if (!FRIBIDI_IS_NEUTRAL (override)) +-- +2.24.0 + diff -Nru fribidi-1.0.7/debian/patches/series fribidi-1.0.7/debian/patches/series --- fribidi-1.0.7/debian/patches/series 2019-10-03 06:03:43.000000000 +0200 +++ fribidi-1.0.7/debian/patches/series 2019-11-08 13:36:50.000000000 +0100 @@ -1 +1,2 @@ manpages.diff +Truncate-isolate_level-to-FRIBIDI_BIDI_MAX_EXPLICIT_.diff