Security update for liblouis SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:1160-1 Final 1 1 2019-04-05T10:06:53Z current 2019-04-05T10:06:53Z 2019-04-05T10:06:53Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for liblouis This update for liblouis fixes the following issues: Security issues fixed: - CVE-2018-17294: Fixed an out of bounds read in matchCurrentInput function which could allow a remote attacker to cause Denail of Service (bsc#1109319). - CVE-2018-11410: Fixed an invalid free in the compileRule function in compileTranslationTable.c (bsc#1094685) - CVE-2018-11440: Fixed a stack-based buffer overflow in the function parseChars() in compileTranslationTable.c (bsc#1095189) - CVE-2018-11577: Fixed a segmentation fault in lou_logPrint in logging.c (bsc#1095945) - CVE-2018-11683: Fixed a stack-based buffer overflow in the function parseChars() in compileTranslationTable.c (different vulnerability than CVE-2018-11440) (bsc#1095827) - CVE-2018-11684: Fixed stack-based buffer overflow in the function includeFile() in compileTranslationTable.c (bsc#1095826) - CVE-2018-11685: Fixed a stack-based buffer overflow in the function compileHyphenation() in compileTranslationTable.c (bsc#1095825) - CVE-2018-12085: Fixed a stack-based buffer overflow in the function parseChars() in compileTranslationTable.c (different vulnerability than CVE-2018-11440) (bsc#1097103) This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-1160 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00038.html E-Mail link for openSUSE-SU-2019:1160-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1094685 SUSE Bug 1094685 https://bugzilla.suse.com/1095189 SUSE Bug 1095189 https://bugzilla.suse.com/1095825 SUSE Bug 1095825 https://bugzilla.suse.com/1095826 SUSE Bug 1095826 https://bugzilla.suse.com/1095827 SUSE Bug 1095827 https://bugzilla.suse.com/1095945 SUSE Bug 1095945 https://bugzilla.suse.com/1097103 SUSE Bug 1097103 https://bugzilla.suse.com/1109319 SUSE Bug 1109319 https://www.suse.com/security/cve/CVE-2018-11410/ SUSE CVE CVE-2018-11410 page https://www.suse.com/security/cve/CVE-2018-11440/ SUSE CVE CVE-2018-11440 page https://www.suse.com/security/cve/CVE-2018-11577/ SUSE CVE CVE-2018-11577 page https://www.suse.com/security/cve/CVE-2018-11683/ SUSE CVE CVE-2018-11683 page https://www.suse.com/security/cve/CVE-2018-11684/ SUSE CVE CVE-2018-11684 page https://www.suse.com/security/cve/CVE-2018-11685/ SUSE CVE CVE-2018-11685 page https://www.suse.com/security/cve/CVE-2018-12085/ SUSE CVE CVE-2018-12085 page https://www.suse.com/security/cve/CVE-2018-17294/ SUSE CVE CVE-2018-17294 page openSUSE Leap 15.0 liblouis-data-3.3.0-lp150.3.3.1 liblouis-devel-3.3.0-lp150.3.3.1 liblouis-doc-3.3.0-lp150.3.3.1 liblouis-tools-3.3.0-lp150.3.3.1 liblouis14-3.3.0-lp150.3.3.1 python3-louis-3.3.0-lp150.3.3.1 liblouis-data-3.3.0-lp150.3.3.1 as a component of openSUSE Leap 15.0 liblouis-devel-3.3.0-lp150.3.3.1 as a component of openSUSE Leap 15.0 liblouis-doc-3.3.0-lp150.3.3.1 as a component of openSUSE Leap 15.0 liblouis-tools-3.3.0-lp150.3.3.1 as a component of openSUSE Leap 15.0 liblouis14-3.3.0-lp150.3.3.1 as a component of openSUSE Leap 15.0 python3-louis-3.3.0-lp150.3.3.1 as a component of openSUSE Leap 15.0 An issue was discovered in Liblouis 3.5.0. A invalid free in the compileRule function in compileTranslationTable.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact. CVE-2018-11410 openSUSE Leap 15.0:liblouis-data-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis-devel-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis-doc-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis-tools-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis14-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:python3-louis-3.3.0-lp150.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00038.html https://www.suse.com/security/cve/CVE-2018-11410.html CVE-2018-11410 https://bugzilla.suse.com/1094685 SUSE Bug 1094685 Liblouis 3.5.0 has a stack-based Buffer Overflow in the function parseChars in compileTranslationTable.c. CVE-2018-11440 openSUSE Leap 15.0:liblouis-data-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis-devel-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis-doc-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis-tools-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis14-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:python3-louis-3.3.0-lp150.3.3.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00038.html https://www.suse.com/security/cve/CVE-2018-11440.html CVE-2018-11440 https://bugzilla.suse.com/1095189 SUSE Bug 1095189 https://bugzilla.suse.com/1095827 SUSE Bug 1095827 https://bugzilla.suse.com/1096665 SUSE Bug 1096665 https://bugzilla.suse.com/1097103 SUSE Bug 1097103 Liblouis 3.5.0 has a Segmentation fault in lou_logPrint in logging.c. CVE-2018-11577 openSUSE Leap 15.0:liblouis-data-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis-devel-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis-doc-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis-tools-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis14-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:python3-louis-3.3.0-lp150.3.3.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00038.html https://www.suse.com/security/cve/CVE-2018-11577.html CVE-2018-11577 https://bugzilla.suse.com/1095945 SUSE Bug 1095945 Liblouis 3.5.0 has a stack-based Buffer Overflow in the function parseChars in compileTranslationTable.c, a different vulnerability than CVE-2018-11440. CVE-2018-11683 openSUSE Leap 15.0:liblouis-data-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis-devel-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis-doc-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis-tools-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis14-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:python3-louis-3.3.0-lp150.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00038.html https://www.suse.com/security/cve/CVE-2018-11683.html CVE-2018-11683 https://bugzilla.suse.com/1095827 SUSE Bug 1095827 https://bugzilla.suse.com/1096665 SUSE Bug 1096665 Liblouis 3.5.0 has a stack-based Buffer Overflow in the function includeFile in compileTranslationTable.c. CVE-2018-11684 openSUSE Leap 15.0:liblouis-data-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis-devel-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis-doc-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis-tools-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis14-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:python3-louis-3.3.0-lp150.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00038.html https://www.suse.com/security/cve/CVE-2018-11684.html CVE-2018-11684 https://bugzilla.suse.com/1095826 SUSE Bug 1095826 Liblouis 3.5.0 has a stack-based Buffer Overflow in the function compileHyphenation in compileTranslationTable.c. CVE-2018-11685 openSUSE Leap 15.0:liblouis-data-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis-devel-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis-doc-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis-tools-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis14-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:python3-louis-3.3.0-lp150.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00038.html https://www.suse.com/security/cve/CVE-2018-11685.html CVE-2018-11685 https://bugzilla.suse.com/1095825 SUSE Bug 1095825 Liblouis 3.6.0 has a stack-based Buffer Overflow in the function parseChars in compileTranslationTable.c, a different vulnerability than CVE-2018-11440. CVE-2018-12085 openSUSE Leap 15.0:liblouis-data-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis-devel-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis-doc-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis-tools-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis14-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:python3-louis-3.3.0-lp150.3.3.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00038.html https://www.suse.com/security/cve/CVE-2018-12085.html CVE-2018-12085 https://bugzilla.suse.com/1097103 SUSE Bug 1097103 The matchCurrentInput function inside lou_translateString.c of Liblouis prior to 3.7 does not check the input string's length, allowing attackers to cause a denial of service (application crash via out-of-bounds read) by crafting an input file with certain translation dictionaries. CVE-2018-17294 openSUSE Leap 15.0:liblouis-data-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis-devel-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis-doc-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis-tools-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:liblouis14-3.3.0-lp150.3.3.1 openSUSE Leap 15.0:python3-louis-3.3.0-lp150.3.3.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00038.html https://www.suse.com/security/cve/CVE-2018-17294.html CVE-2018-17294 https://bugzilla.suse.com/1109319 SUSE Bug 1109319