CVE-2019-18397

Name of the Vulnerable Software and Affected Versions GNU FriBidi versions 1.0.7 and earlier

Description A buffer overflow in the fribidi get par embedding levels ex() function allows an attacker to cause a denial of service or possibly execute arbitrary code by delivering crafted text content to a user. This issue affects applications that use FriBidi for text layout calculations, such as GNOME or GTK+ based applications that use Pango for text layout. Examples of exploitation include constructing a crafted text file to be opened in GEdit or a crafted IRC message to be viewed in HexChat.

Recommendations For GNU FriBidi versions 1.0.7 and earlier, consider updating to a version later than 1.0.7 to resolve the issue. As a temporary workaround, consider restricting the use of the fribidi get par embedding levels ex() function until a patch is available. Avoid using applications that rely on FriBidi for text layout calculations with untrusted text content until the issue is resolved.