Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is: The heap based buffer overflow can be used to get code execution. The component is: function name: pango_log2vis_get_embedding_levels, assignment of nchars and the loop condition. The attack vector is: Bug can be used when application pass invalid utf-8 strings to functions like pango_itemize. According to NVD, the affected versions are from 1.42.0 (incl) to 1.43.0 (incl). The upstream fix is there: https://gitlab.gnome.org/GNOME/pango/commit/490f8979a260c16b1df055eab386345da18a2d54 Debian entry: https://security-tracker.debian.org/tracker/CVE-2019-1010238 NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-1010238 The latest Pango version is 1.44.3 as of today. Notice it depends on >=Glib-2.59.2 which is not stabilized yet. Best regards.
Latest as of today is pango-1.44.4 but we cannot simply bump to pango-1.44.x because it breaks at least x11-libs/pangox-compat package: https://gitlab.gnome.org/Archive/pangox-compat/issues/1 Furthermore it requires the ebuild being rewritten to use meson build system. I suggest to backport the fix instead.
Resetting version information in summary because we don't have a fixed version in tree yet.
Bumping to 1.44 will also break bitmap-only fonts, which will cause quite the uproar for users that use a gtk-based terminal emulator with such a font. So we'll need some handling of that first for 1.44 (even ~arch I think, let alone stable), e.g. telling how to create a truetype font from the bitmap font or so. Help welcome in that. Meanwhile yes, will need to look at backporting it.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=39892b09bb0b45155d545c6fd9fec43a99ca4ecc commit 39892b09bb0b45155d545c6fd9fec43a99ca4ecc Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2019-08-15 11:30:15 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2019-08-15 11:35:56 +0000 x11-libs/pango: fix CVE-2019-1010238 Bug: https://bugs.gentoo.org/692110 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Mart Raudsepp <leio@gentoo.org> x11-libs/pango/files/1.42.4-CVE-2019-1010238.patch | 34 ++++++++++ x11-libs/pango/pango-1.42.4-r2.ebuild | 72 ++++++++++++++++++++++ 2 files changed, 106 insertions(+)
sparc stable
arm64 stable
x86 stable
hppa/ppc/ppc64 stable
amd64 stable
s390 stable
ia64 stable
alpha stable
arm stable
@maintainer, please drop vulnerable.
This issue was resolved and addressed in GLSA 201909-03 at https://security.gentoo.org/glsa/201909-03 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for cleanup.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aea48b9efe2abf72a1878fda3bd6d9ebdc16d087 commit aea48b9efe2abf72a1878fda3bd6d9ebdc16d087 Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2019-09-07 09:16:14 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2019-09-07 09:16:14 +0000 x11-libs/pango: security cleanup Closes: https://bugs.gentoo.org/692110 Package-Manager: Portage-2.3.69, Repoman-2.3.12 Signed-off-by: Mart Raudsepp <leio@gentoo.org> x11-libs/pango/pango-1.42.4-r1.ebuild | 71 ----------------------------------- x11-libs/pango/pango-1.42.4.ebuild | 66 -------------------------------- 2 files changed, 137 deletions(-)
