Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 59692

Summary: x11-libs/pango New version fixes DoS vuln in xchat with hangul characters
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: gnome
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: https://sourceforge.net/tracker/?func=detail&atid=100239&aid=984373&group_id=239
Whiteboard: A3? [ glsa? ] jaervosz
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-07 07:09:24 UTC
 
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-07 07:10:50 UTC
Please bump pango to 1.4.1
Comment 2 foser (RETIRED) gentoo-dev 2004-08-07 08:11:54 UTC
it is already in.. i guess it needs to go stable ?
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-07 08:26:42 UTC
foser thanks for the swift reaction.

Arches please mark stable. Target keywords:

alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86
Comment 4 Aron Griffis (RETIRED) gentoo-dev 2004-08-07 20:11:56 UTC
stable on ia64
Comment 5 foser (RETIRED) gentoo-dev 2004-08-08 02:30:34 UTC
x86 is stable
Comment 6 Travis Tilley (RETIRED) gentoo-dev 2004-08-08 09:00:07 UTC
stable on amd64
Comment 7 Jason Wever (RETIRED) gentoo-dev 2004-08-08 09:11:11 UTC
sparc'd it like a hurricane
Comment 8 SpanKY gentoo-dev 2004-08-08 20:57:41 UTC
hppa stable
Comment 9 SpanKY gentoo-dev 2004-08-09 04:45:02 UTC
stable on arm
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-09 13:16:32 UTC
lu_zero thanks for the ppc mark though next time please put a note on the bug.

Security: time to decide GLSA status. Please place your votes
Comment 11 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-08-10 12:09:48 UTC
I don't have any objections to issuing a GLSA, but I don't think it's really necessary unless there's some arbitrary code execution going on.  It's not clear from the SourceForge bug whether or not this is possible.
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-10 12:39:45 UTC
It appears that if you use utf8 and xft backend it will result in a xchats dropping out of IRC if another client pastes in some Hangul text. Locally xchat can crash if xtext is used as backend. I guess it could cause other Gnome apps to crash.

I tend to vote for no GLSA.
Comment 13 foser (RETIRED) gentoo-dev 2004-08-10 13:07:23 UTC
I bet if you try to exploit it, you can do it in many ways. I believe xchat is just an easy show, but afaics any pango using applications is vulnerable. I'm not sure what the exact conditions need to be, but there have been more bugreports of crashes in the hangul module over time with different applications.
Comment 14 Tim Yamin (RETIRED) gentoo-dev 2004-08-11 05:37:19 UTC
I'm also voting for no GLSA here; but I have no objections to one getting released if somebody wants to do it.
Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-11 07:40:54 UTC
I see no other Pango advisories and the Release Announcement just says:

* Fix common crash in Hangul shaper [Changwoo Ryu]

No mention of any security implications. 
Comment 16 Luca Barbato gentoo-dev 2004-08-12 01:40:45 UTC
Sune, sorry, I thought I put a comment here, probably got miss due my feeble uplink =/
Comment 17 Kurt Lieber (RETIRED) gentoo-dev 2004-08-12 04:40:47 UTC
sounds like a fairly obscure exploit, so I'm OK with no GLSA.
Comment 18 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-12 09:20:44 UTC
Closing without GLSA. If anyone disagrees feel free to reopen and provide information for a GLSA.
Comment 19 Bryan Østergaard (RETIRED) gentoo-dev 2004-08-12 16:43:28 UTC
Stable on alpha.
Comment 20 Stephen Becker (RETIRED) gentoo-dev 2004-08-14 12:59:38 UTC
stable on mips
Comment 21 Tom Gall (RETIRED) gentoo-dev 2004-09-25 22:33:56 UTC
nothing to do here. ppc64 is already stable on 1.4.1