Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 699338 (CVE-2019-18397) - <dev-libs/fribidi-1.0.8: stack buffer overflow in the fribidi_get_par_embedding_levels_ex() function in lib/fribidi-bidi.c (CVE-2019-18397)
Summary: <dev-libs/fribidi-1.0.8: stack buffer overflow in the fribidi_get_par_embeddi...
Alias: CVE-2019-18397
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa+ cve]
Depends on:
Reported: 2019-11-04 21:37 UTC by Thomas Deutschmann (RETIRED)
Modified: 2020-03-19 16:43 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2019-11-04 21:37:22 UTC
A stack buffer overflow in the fribidi_get_par_embedding_levels_ex() function in lib/fribidi-bidi.c of GNU FriBidi 1.0.0 through 1.0.7 allows an attacker to cause a denial of service or possibly execute arbitrary code by delivering crafted text content to a user, when this content is then rendered by an application that uses FriBidi for text layout calculations. Examples include any GNOME or GTK+ based application that uses Pango for text rendering, as this internally uses FriBidi for bidirectional text layout. For example, the attacker can construct a crafted text file to be opened in GEdit, a crafted IRC message to be viewed in HexChat or a crafted email to be viewed in Evolution.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2019-11-04 21:38:33 UTC
Upstream fix (already public):
Comment 2 Larry the Git Cow gentoo-dev 2019-12-25 20:50:47 UTC
The bug has been referenced in the following commit(s):

commit 77e557a14b9c35e0ea9b8a29f50d22a96b9e7fc1
Author:     Mart Raudsepp <>
AuthorDate: 2019-12-25 20:46:50 +0000
Commit:     Mart Raudsepp <>
CommitDate: 2019-12-25 20:50:28 +0000

    dev-libs/fribidi: security bump to 1.0.8
    Package-Manager: Portage-2.3.79, Repoman-2.3.12
    Signed-off-by: Mart Raudsepp <>

 dev-libs/fribidi/Manifest             |  1 +
 dev-libs/fribidi/fribidi-1.0.8.ebuild | 37 +++++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+)
Comment 3 Agostino Sarubbo gentoo-dev 2019-12-26 18:45:56 UTC
amd64 stable
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2019-12-27 17:21:25 UTC
arm64 stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2019-12-28 12:35:11 UTC
ia64 stable
Comment 6 Rolf Eike Beer archtester 2019-12-29 20:07:54 UTC
hppa/sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-12-30 12:29:22 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-12-30 15:34:00 UTC
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-12-30 15:53:47 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-01-01 12:53:41 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-01-03 12:30:53 UTC
s390 stable
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-19 16:34:43 UTC
New GLSA request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2020-03-19 16:43:01 UTC
This issue was resolved and addressed in
 GLSA 202003-41 at
by GLSA coordinator Thomas Deutschmann (whissi).