133/184: gnu: fribidi: Fix CVE-2019-18397.

[guix-commits]

kkebreau pushed a commit to branch wip-gnome-updates
in repository guix.

commit 5c84a08057e4f525cab79f22bc24f5443fe77426
Author: Efraim Flashner <address@hidden>
Date:   Sat Nov 9 21:03:19 2019 +0200

    gnu: fribidi: Fix CVE-2019-18397.
    
    * gnu/packages/fribidi.scm (fribidi): Replace with fribidi/fixed.
    (fribidi/fixed): New variable.
    * gnu/packages/patches/fribidi-CVE-2019-18397.patch: New file.
    * gnu/local.mk (dist_patch_DATA): Register it.
---
 gnu/local.mk                                      |  1 +
 gnu/packages/fribidi.scm                          | 13 ++++++++++--
 gnu/packages/patches/fribidi-CVE-2019-18397.patch | 26 +++++++++++++++++++++++
 3 files changed, 38 insertions(+), 2 deletions(-)

diff --git a/gnu/local.mk b/gnu/local.mk
index 8c79b63..0e354e4 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -838,6 +838,7 @@ dist_patch_DATA =                                           
\
   %D%/packages/patches/flint-ldconfig.patch                    \
   %D%/packages/patches/foomatic-filters-CVE-2015-8327.patch    \
   %D%/packages/patches/foomatic-filters-CVE-2015-8560.patch    \
+  %D%/packages/patches/fribidi-CVE-2019-18397.patch            \
   %D%/packages/patches/freeimage-unbundle.patch                \
   %D%/packages/patches/fuse-overlapping-headers.patch                          
\
   %D%/packages/patches/gawk-shell.patch                                \
diff --git a/gnu/packages/fribidi.scm b/gnu/packages/fribidi.scm
index dfd2a77..61aa6fd 100644
--- a/gnu/packages/fribidi.scm
+++ b/gnu/packages/fribidi.scm
@@ -1,6 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2014 Marek Benc <address@hidden>
-;;; Copyright © 2016 Efraim Flashner <address@hidden>
+;;; Copyright © 2016, 2019 Efraim Flashner <address@hidden>
 ;;; Copyright © 2018 Tobias Geerinckx-Rice <address@hidden>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -22,10 +22,12 @@
   #:use-module (guix packages)
   #:use-module (guix download)
   #:use-module (guix build-system gnu)
-  #:use-module (guix licenses))
+  #:use-module (guix licenses)
+  #:use-module (gnu packages))
 
 (define-public fribidi
   (package
+    (replacement fribidi/fixed)
     (name "fribidi")
     (version "1.0.5")
     (source
@@ -45,3 +47,10 @@ Algorithm.  This algorithm is used to properly display text 
in left-to-right
 or right-to-left ordering as necessary.")
     (home-page "https://github.com/fribidi/fribidi";)
     (license lgpl2.1+)))
+
+(define fribidi/fixed
+  (package
+    (inherit fribidi)
+    (source
+      (origin (inherit (package-source fribidi))
+              (patches (search-patches "fribidi-CVE-2019-18397.patch"))))))
diff --git a/gnu/packages/patches/fribidi-CVE-2019-18397.patch 
b/gnu/packages/patches/fribidi-CVE-2019-18397.patch
new file mode 100644
index 0000000..aff1a66
--- /dev/null
+++ b/gnu/packages/patches/fribidi-CVE-2019-18397.patch
@@ -0,0 +1,26 @@
+https://github.com/fribidi/fribidi/commit/034c6e9a1d296286305f4cfd1e0072b879f52568.patch
+
+From 034c6e9a1d296286305f4cfd1e0072b879f52568 Mon Sep 17 00:00:00 2001
+From: Dov Grobgeld <address@hidden>
+Date: Thu, 24 Oct 2019 09:37:29 +0300
+Subject: [PATCH] Truncate isolate_level to FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL
+
+---
+ lib/fribidi-bidi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/fribidi-bidi.c b/lib/fribidi-bidi.c
+index 6c84392..d384878 100644
+--- a/lib/fribidi-bidi.c
++++ b/lib/fribidi-bidi.c
+@@ -747,7 +747,9 @@ fribidi_get_par_embedding_levels_ex (
+             }
+ 
+         RL_LEVEL (pp) = level;
+-          RL_ISOLATE_LEVEL (pp) = isolate_level++;
++          RL_ISOLATE_LEVEL (pp) = isolate_level;
++          if (isolate_level < FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL-1)
++              isolate_level++;
+           base_level_per_iso_level[isolate_level] = new_level;
+ 
+         if (!FRIBIDI_IS_NEUTRAL (override))