Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 664108 (CVE-2018-15120)

Summary: <x11-libs/pango-1.42.4: assertion which can be triggered by invalid Unicode sequences (CVE-2018-15120)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: fonts, gnome, polynomial-c
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://mail.gnome.org/archives/distributor-list/2018-August/msg00001.html
Whiteboard: A3 [glsa+ cve]
Package list:
media-libs/fontconfig-2.13.0-r4 x11-libs/pango-1.42.4
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2018-08-20 14:25:55 UTC
Incoming details.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2018-08-20 14:27:37 UTC
From $URL:

This prevents and assertion which can be triggered by invalid Unicode sequences.

I'll be doing a release with this fix shortly, but since this can crash apps like hexchat
or gnome-terminal, it is a good idea to get the patch out as soon as possible.

This affects all versions of Pango since color Emoji support was introduced in 1.40.8.



Upstream patch: https://gitlab.gnome.org/GNOME/pango/commit/71aaeaf020340412b8d012fe23a556c0420eda5f
Comment 2 Larry the Git Cow gentoo-dev 2018-08-20 16:53:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d1edcc424c04a62d7412f9acf027f90b6728a7b5

commit d1edcc424c04a62d7412f9acf027f90b6728a7b5
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2018-08-20 16:51:57 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2018-08-20 16:52:42 +0000

    x11-libs/pango: bump to 1.42.4
    
    Bug: https://bugs.gentoo.org/664108
    Package-Manager: Portage-2.3.47, Repoman-2.3.10

 x11-libs/pango/Manifest                     |   1 +
 x11-libs/pango/files/1.42.4-pango-view.1.in | 113 ++++++++++++++++++++++++++++
 x11-libs/pango/pango-1.42.4.ebuild          |  65 ++++++++++++++++
 3 files changed, 179 insertions(+)
Comment 3 Mart Raudsepp gentoo-dev 2018-08-20 17:00:58 UTC
Please stabilize pango-1.42.4 and its newer fontconfig dependency. fontconfig de jure maintainer is not active in fontconfig at all, and the de facto maintainer (Poly-C) signed off on it a week or so ago for future needs.
Comment 4 Mart Raudsepp gentoo-dev 2018-08-21 08:25:47 UTC
arm64 stable
Comment 5 Rolf Eike Beer archtester 2018-08-21 20:22:47 UTC
sparc done.
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-08-22 00:16:09 UTC
amd64 stable
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2018-08-23 01:42:27 UTC
x86 stable
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2018-08-30 12:29:20 UTC
New GLSA request filed.
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2018-09-01 23:44:13 UTC
ia64 stable
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2018-09-14 08:29:21 UTC
Stable on alpha.
Comment 11 Matt Turner gentoo-dev 2018-09-17 21:34:58 UTC
ppc/ppc64 stable
Comment 12 Markus Meier gentoo-dev 2018-09-19 16:59:33 UTC
arm stable
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-10-17 11:18:34 UTC
s390 stable
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2018-11-09 23:04:59 UTC
hppa project:  Please finish stabilization. Security team is releasing GLSA but the users can still install vulnerable version until cleanup. Please stabilize or move package to non-stable / testing.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2018-11-10 00:26:07 UTC
This issue was resolved and addressed in
 GLSA 201811-07 at https://security.gentoo.org/glsa/201811-07
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev 2018-11-10 00:26:43 UTC
Re-opening for remaining architecture.
Comment 17 Rolf Eike Beer archtester 2018-11-24 13:02:25 UTC
hppa stable
Comment 18 Aaron Bauman (RETIRED) gentoo-dev 2018-12-01 00:48:51 UTC
@maintainer(s), please clean vulnerable.
Comment 19 Aaron Bauman (RETIRED) gentoo-dev 2019-03-10 05:04:14 UTC
pretty please