JuliaLang · mbauman · Oct 20, 2025 · Oct 19, 2025
diff --git a/advisories/published/2025/JLSEC-0000-mns69f52y-10liw3g.md b/advisories/published/2025/JLSEC-0000-mns69f52y-10liw3g.md
@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns69f52y-10liw3g"
+modified = 2025-10-19T19:44:23.674Z
+upstream = ["CVE-2019-18397"]
+references = ["https://access.redhat.com/errata/RHSA-2019:4326", "https://access.redhat.com/errata/RHSA-2019:4361", "https://access.redhat.com/errata/RHSA-2020:0291", "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944327", "https://github.com/fribidi/fribidi/commit/034c6e9a1d296286305f4cfd1e0072b879f52568", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFS3N6KKXPI6ATDNEUFRSLX7R6BOBNIP/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W5UJRTG32FDNI7T637Q6PZYL3UCRR5HR/", "https://marc.info/?l=oss-security&m=157322128105807&w=2", "https://security-tracker.debian.org/tracker/CVE-2019-18397", "https://security.gentoo.org/glsa/202003-41", "https://access.redhat.com/errata/RHSA-2019:4326", "https://access.redhat.com/errata/RHSA-2019:4361", "https://access.redhat.com/errata/RHSA-2020:0291", "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944327", "https://github.com/fribidi/fribidi/commit/034c6e9a1d296286305f4cfd1e0072b879f52568", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFS3N6KKXPI6ATDNEUFRSLX7R6BOBNIP/", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W5UJRTG32FDNI7T637Q6PZYL3UCRR5HR/", "https://marc.info/?l=oss-security&m=157322128105807&w=2", "https://security-tracker.debian.org/tracker/CVE-2019-18397", "https://security.gentoo.org/glsa/202003-41"]
+
+[[affected]]
+pkg = "FriBidi_jll"
+ranges = ["< 1.0.10+0"]
+
+[[jlsec_sources]]
+id = "CVE-2019-18397"
+imported = 2025-10-19T19:44:23.674Z
+modified = 2024-11-21T04:33:12.027Z
+published = 2019-11-13T14:15:10.287Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2019-18397"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2019-18397"
+```
+
+# A buffer overflow in the fribidi_get_par_embedding_levels_ex() function in lib/fribidi-bidi.c of GNU...
+
+A buffer overflow in the fribidi_get_par_embedding_levels_ex() function in lib/fribidi-bidi.c of GNU FriBidi through 1.0.7 allows an attacker to cause a denial of service or possibly execute arbitrary code by delivering crafted text content to a user, when this content is then rendered by an application that uses FriBidi for text layout calculations. Examples include any GNOME or GTK+ based application that uses Pango for text layout, as this internally uses FriBidi for bidirectional text layout. For example, the attacker can construct a crafted text file to be opened in GEdit, or a crafted IRC message to be viewed in HexChat.
+
diff --git a/advisories/published/2025/JLSEC-0000-mns69f53e-53c2hl.md b/advisories/published/2025/JLSEC-0000-mns69f53e-53c2hl.md
@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns69f53e-53c2hl"
+modified = 2025-10-19T19:44:23.690Z
+upstream = ["CVE-2022-25308"]
+references = ["https://access.redhat.com/security/cve/CVE-2022-25308", "https://bugzilla.redhat.com/show_bug.cgi?id=2047890", "https://github.com/fribidi/fribidi/issues/181", "https://github.com/fribidi/fribidi/pull/184", "https://access.redhat.com/security/cve/CVE-2022-25308", "https://bugzilla.redhat.com/show_bug.cgi?id=2047890", "https://github.com/fribidi/fribidi/issues/181", "https://github.com/fribidi/fribidi/pull/184"]
+
+[[affected]]
+pkg = "FriBidi_jll"
+ranges = ["< 1.0.14+0"]
+
+[[jlsec_sources]]
+id = "CVE-2022-25308"
+imported = 2025-10-19T19:44:23.690Z
+modified = 2024-11-21T06:51:58.117Z
+published = 2022-09-06T18:15:11.437Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2022-25308"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2022-25308"
+```
+
+# A stack-based buffer overflow flaw was found in the Fribidi package
+
+A stack-based buffer overflow flaw was found in the Fribidi package. This flaw allows an attacker to pass a specially crafted file to the Fribidi application, which leads to a possible memory leak or a denial of service.
+
diff --git a/advisories/published/2025/JLSEC-0000-mns69f53g-13dp2t8.md b/advisories/published/2025/JLSEC-0000-mns69f53g-13dp2t8.md
@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns69f53g-13dp2t8"
+modified = 2025-10-19T19:44:23.692Z
+upstream = ["CVE-2022-25309"]
+references = ["https://access.redhat.com/security/cve/CVE-2022-25309", "https://bugzilla.redhat.com/show_bug.cgi?id=2047896", "https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3", "https://github.com/fribidi/fribidi/issues/182", "https://access.redhat.com/security/cve/CVE-2022-25309", "https://bugzilla.redhat.com/show_bug.cgi?id=2047896", "https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3", "https://github.com/fribidi/fribidi/issues/182"]
+
+[[affected]]
+pkg = "FriBidi_jll"
+ranges = ["< 1.0.14+0"]
+
+[[jlsec_sources]]
+id = "CVE-2022-25309"
+imported = 2025-10-19T19:44:23.692Z
+modified = 2024-11-21T06:51:58.233Z
+published = 2022-09-06T18:15:11.493Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2022-25309"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2022-25309"
+```
+
+# A heap-based buffer overflow flaw was found in the Fribidi package and affects the fribidi_cap_rtl_t...
+
+A heap-based buffer overflow flaw was found in the Fribidi package and affects the fribidi_cap_rtl_to_unicode() function of the fribidi-char-sets-cap-rtl.c file. This flaw allows an attacker to pass a specially crafted file to the Fribidi application with the '--caprtl' option, leading to a crash and causing a denial of service.
+
diff --git a/advisories/published/2025/JLSEC-0000-mns69f53h-1kqdk9z.md b/advisories/published/2025/JLSEC-0000-mns69f53h-1kqdk9z.md
@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns69f53h-1kqdk9z"
+modified = 2025-10-19T19:44:23.693Z
+upstream = ["CVE-2022-25310"]
+references = ["https://access.redhat.com/security/cve/CVE-2022-25310", "https://bugzilla.redhat.com/show_bug.cgi?id=2047923", "https://github.com/fribidi/fribidi/issues/183", "https://github.com/fribidi/fribidi/pull/186", "https://access.redhat.com/security/cve/CVE-2022-25310", "https://bugzilla.redhat.com/show_bug.cgi?id=2047923", "https://github.com/fribidi/fribidi/issues/183", "https://github.com/fribidi/fribidi/pull/186"]
+
+[[affected]]
+pkg = "FriBidi_jll"
+ranges = ["< 1.0.14+0"]
+
+[[jlsec_sources]]
+id = "CVE-2022-25310"
+imported = 2025-10-19T19:44:23.693Z
+modified = 2024-11-21T06:51:58.347Z
+published = 2022-09-06T18:15:11.557Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2022-25310"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2022-25310"
+```
+
+# A segmentation fault (SEGV) flaw was found in the Fribidi package and affects the fribidi_remove_bid...
+
+A segmentation fault (SEGV) flaw was found in the Fribidi package and affects the fribidi_remove_bidi_marks() function of the lib/fribidi.c file. This flaw allows an attacker to pass a specially crafted file to Fribidi, leading to a crash and causing a denial of service.
+