Buffer Overflow Vulnerability in GNU FriBidi Affects Multiple Applications
CVE-2019-18397

7.8HIGH

Key Information:

Vendor
Gnu
Status
Fribidi
Vendor
CVE Published:
13 November 2019

Summary

A buffer overflow exists in the fribidi_get_par_embedding_levels_ex() function within GNU FriBidi, affecting versions up to 1.0.7. This vulnerability allows attackers to create specially crafted text inputs that, when processed by applications utilizing FriBidi for text layout, can lead to denial of service or even the execution of arbitrary code. Applications such as GEdit and HexChat are notably susceptible, as they rely on Pango, which incorporates FriBidi for bidirectional text layout. Mitigating this risk is crucial for users relying on these applications.

References

https://github.com/fribidi/fribidi/commit/034c6e9a1d29628...
x_refsource_MISC
https://marc.info/?l=oss-security&m=157322128105807&w=2
x_refsource_MISC
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944327
x_refsource_CONFIRM

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.