Headline
Ubuntu Security Notice USN-5476-1
Ubuntu Security Notice 5476-1 - Han Zheng discovered that Liblouis incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash. This issue was addressed in Ubuntu 21.10 and Ubuntu 22.04 LTS. It was discovered that Liblouis incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code or cause a crash.
==========================================================================
Ubuntu Security Notice USN-5476-1
June 13, 2022
liblouis vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 21.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in liblouis.
Software Description:
- liblouis: Braille translation library - utilities
Details:
Han Zheng discovered that Liblouis incorrectly handled certain inputs.
An attacker could possibly use this issue to cause a crash. This issue was
addressed in Ubuntu 21.10 and Ubuntu 22.04 LTS. (CVE-2022-26981)
It was discovered that Liblouis incorrectly handled certain inputs.
An attacker could possibly use this issue to execute arbitrary code
or cause a crash. (CVE-2022-31783)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
liblouis-bin 3.20.0-2ubuntu0.1
liblouis20 3.20.0-2ubuntu0.1
Ubuntu 21.10:
liblouis-bin 3.18.0-1ubuntu0.2
liblouis20 3.18.0-1ubuntu0.2
Ubuntu 20.04 LTS:
liblouis-bin 3.12.0-3ubuntu0.1
liblouis20 3.12.0-3ubuntu0.1
Ubuntu 18.04 LTS:
liblouis-bin 3.5.0-1ubuntu0.4
liblouis14 3.5.0-1ubuntu0.4
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5476-1
CVE-2022-26981, CVE-2022-31783
Package Information:
https://launchpad.net/ubuntu/+source/liblouis/3.20.0-2ubuntu0.1
https://launchpad.net/ubuntu/+source/liblouis/3.18.0-1ubuntu0.2
https://launchpad.net/ubuntu/+source/liblouis/3.12.0-3ubuntu0.1
https://launchpad.net/ubuntu/+source/liblouis/3.5.0-1ubuntu0.4
Related news
The issue was addressed with improved memory handling. This issue is fixed in tvOS 15.6, watchOS 8.7, iOS 15.6 and iPadOS 15.6. An app may be able to disclose kernel memory.
A logic issue was addressed with improved state management. This issue is fixed in iOS 15.6 and iPadOS 15.6. A user may be able to view restricted content from the lock screen.
Gentoo Linux Security Advisory 202301-6 - Multiple vulnerabilities have been discovered in liblouis, the worst of which could result in denial of service. Versions less than 3.22.0 are affected.
Multiple out-of-bounds write issues were addressed with improved bounds checking. This issue is fixed in macOS Monterey 12.5, watchOS 8.7, tvOS 15.6, iOS 15.6 and iPadOS 15.6. An app may be able to disclose kernel memory.
Apple Security Advisory 2022-07-20-6 - watchOS 8.7 addresses buffer overflow, bypass, code execution, out of bounds read, out of bounds write, and spoofing vulnerabilities.
Apple Security Advisory 2022-07-20-5 - tvOS 15.6 addresses buffer overflow, bypass, code execution, information leakage, out of bounds read, out of bounds write, and spoofing vulnerabilities.
Apple Security Advisory 2022-07-20-2 - macOS Monterey 12.5 addresses bypass, code execution, information leakage, null pointer, out of bounds read, out of bounds write, and spoofing vulnerabilities.
Apple Security Advisory 2022-07-20-1 - iOS 15.6 and iPadOS 15.6 addresses buffer overflow, bypass, code execution, information leakage, null pointer, out of bounds read, out of bounds write, and spoofing vulnerabilities.
Liblouis 3.21.0 has an out-of-bounds write in compileRule in compileTranslationTable.c, as demonstrated by lou_trace.
Liblouis through 3.21.0 has a buffer overflow in compilePassOpcode in compileTranslationTable.c (called, indirectly, by tools/lou_checktable.c).