SUSE update for fribidi



Published: 2022-06-15 | Updated: 2022-12-02
Risk High
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2022-25308
CVE-2022-25309
CVE-2022-25310
CWE-ID CWE-121
CWE-122
CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		SUSE Linux Enterprise Server for SAP
Operating systems & Components / Operating system

SUSE Linux Enterprise High Performance Computing
Operating systems & Components / Operating system

SUSE Enterprise Storage
Operating systems & Components / Operating system

SUSE CaaS Platform
Operating systems & Components / Operating system

SUSE Linux Enterprise Server
Operating systems & Components / Operating system

libfribidi0-32bit-debuginfo
Operating systems & Components / Operating system package or component

libfribidi0-32bit
Operating systems & Components / Operating system package or component

libfribidi0-debuginfo
Operating systems & Components / Operating system package or component

libfribidi0
Operating systems & Components / Operating system package or component

fribidi-devel
Operating systems & Components / Operating system package or component

fribidi-debugsource
Operating systems & Components / Operating system package or component

fribidi-debuginfo
Operating systems & Components / Operating system package or component

fribidi
Operating systems & Components / Operating system package or component

Vendor SUSE

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Stack-based buffer overflow

EUVDB-ID: #VU62019

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-25308

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected package fribidi to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server for SAP: 15 - 15-SP1

SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-SP1-LTSS

SUSE Enterprise Storage: 6

SUSE CaaS Platform: 4.0

SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS

libfribidi0-32bit-debuginfo: before 0.19.6-150000.3.3.1

libfribidi0-32bit: before 0.19.6-150000.3.3.1

libfribidi0-debuginfo: before 0.19.6-150000.3.3.1

libfribidi0: before 0.19.6-150000.3.3.1

fribidi-devel: before 0.19.6-150000.3.3.1

fribidi-debugsource: before 0.19.6-150000.3.3.1

fribidi-debuginfo: before 0.19.6-150000.3.3.1

fribidi: before 0.19.6-150000.3.3.1

External links

http://www.suse.com/support/update/announcement/2022/suse-su-20222029-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Heap-based buffer overflow

EUVDB-ID: #VU62020

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-25309

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in fribidi_cap_rtl_to_unicode. A remote attacker can pass specially crafted data to the application, trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected package fribidi to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server for SAP: 15 - 15-SP1

SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-SP1-LTSS

SUSE Enterprise Storage: 6

SUSE CaaS Platform: 4.0

SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS

libfribidi0-32bit-debuginfo: before 0.19.6-150000.3.3.1

libfribidi0-32bit: before 0.19.6-150000.3.3.1

libfribidi0-debuginfo: before 0.19.6-150000.3.3.1

libfribidi0: before 0.19.6-150000.3.3.1

fribidi-devel: before 0.19.6-150000.3.3.1

fribidi-debugsource: before 0.19.6-150000.3.3.1

fribidi-debuginfo: before 0.19.6-150000.3.3.1

fribidi: before 0.19.6-150000.3.3.1

External links

http://www.suse.com/support/update/announcement/2022/suse-su-20222029-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Input validation error

EUVDB-ID: #VU62021

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-25310

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to improper handling of empty input when removing marks from unicode strings. A remote attacker can pass specially crafted input to the application and execute arbitrary code on the target system.

Mitigation

Update the affected package fribidi to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server for SAP: 15 - 15-SP1

SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-SP1-LTSS

SUSE Enterprise Storage: 6

SUSE CaaS Platform: 4.0

SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS

libfribidi0-32bit-debuginfo: before 0.19.6-150000.3.3.1

libfribidi0-32bit: before 0.19.6-150000.3.3.1

libfribidi0-debuginfo: before 0.19.6-150000.3.3.1

libfribidi0: before 0.19.6-150000.3.3.1

fribidi-devel: before 0.19.6-150000.3.3.1

fribidi-debugsource: before 0.19.6-150000.3.3.1

fribidi-debuginfo: before 0.19.6-150000.3.3.1

fribidi: before 0.19.6-150000.3.3.1

External links

http://www.suse.com/support/update/announcement/2022/suse-su-20222029-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###