Bug 59692

Summary:	x11-libs/pango New version fixes DoS vuln in xchat with hangul characters
Product:	Gentoo Security	Reporter:	Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	gnome
Priority:	High
Version:	unspecified
Hardware:	All
OS:	All
URL:	https://sourceforge.net/tracker/?func=detail&atid=100239&aid=984373&group_id=239
Whiteboard:	A3? [ glsa? ] jaervosz
Package list:		Runtime testing required:	---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-08-07 07:09:24 UTC

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-08-07 07:10:50 UTC

Please bump pango to 1.4.1

Comment 2 foser (RETIRED) gentoo-dev

2004-08-07 08:11:54 UTC

it is already in.. i guess it needs to go stable ?

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-08-07 08:26:42 UTC

foser thanks for the swift reaction.

Arches please mark stable. Target keywords:

alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86

Comment 4 Aron Griffis (RETIRED) gentoo-dev

2004-08-07 20:11:56 UTC

stable on ia64

Comment 5 foser (RETIRED) gentoo-dev

2004-08-08 02:30:34 UTC

x86 is stable

Comment 6 Travis Tilley (RETIRED) gentoo-dev

2004-08-08 09:00:07 UTC

stable on amd64

Comment 7 Jason Wever (RETIRED) gentoo-dev

2004-08-08 09:11:11 UTC

sparc'd it like a hurricane

Comment 8 SpanKY gentoo-dev

2004-08-08 20:57:41 UTC

hppa stable

Comment 9 SpanKY gentoo-dev

2004-08-09 04:45:02 UTC

stable on arm

Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-08-09 13:16:32 UTC

lu_zero thanks for the ppc mark though next time please put a note on the bug.

Security: time to decide GLSA status. Please place your votes

Comment 11 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev

2004-08-10 12:09:48 UTC

I don't have any objections to issuing a GLSA, but I don't think it's really necessary unless there's some arbitrary code execution going on.  It's not clear from the SourceForge bug whether or not this is possible.

Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-08-10 12:39:45 UTC

It appears that if you use utf8 and xft backend it will result in a xchats dropping out of IRC if another client pastes in some Hangul text. Locally xchat can crash if xtext is used as backend. I guess it could cause other Gnome apps to crash.

I tend to vote for no GLSA.

Comment 13 foser (RETIRED) gentoo-dev

2004-08-10 13:07:23 UTC

I bet if you try to exploit it, you can do it in many ways. I believe xchat is just an easy show, but afaics any pango using applications is vulnerable. I'm not sure what the exact conditions need to be, but there have been more bugreports of crashes in the hangul module over time with different applications.

Comment 14 Tim Yamin (RETIRED) gentoo-dev

2004-08-11 05:37:19 UTC

I'm also voting for no GLSA here; but I have no objections to one getting released if somebody wants to do it.

Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-08-11 07:40:54 UTC

I see no other Pango advisories and the Release Announcement just says:

* Fix common crash in Hangul shaper [Changwoo Ryu]

No mention of any security implications.

Comment 16 Luca Barbato gentoo-dev

2004-08-12 01:40:45 UTC

Sune, sorry, I thought I put a comment here, probably got miss due my feeble uplink =/

Comment 17 Kurt Lieber (RETIRED) gentoo-dev

2004-08-12 04:40:47 UTC

sounds like a fairly obscure exploit, so I'm OK with no GLSA.

Comment 18 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-08-12 09:20:44 UTC

Closing without GLSA. If anyone disagrees feel free to reopen and provide information for a GLSA.

Comment 19 Bryan Østergaard (RETIRED) gentoo-dev

2004-08-12 16:43:28 UTC

Stable on alpha.

Comment 20 Stephen Becker (RETIRED) gentoo-dev

2004-08-14 12:59:38 UTC

stable on mips

Comment 21 Tom Gall (RETIRED) gentoo-dev

2004-09-25 22:33:56 UTC

nothing to do here. ppc64 is already stable on 1.4.1