Summary: | <x11-libs/pango-1.42.4: assertion which can be triggered by invalid Unicode sequences (CVE-2018-15120) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | fonts, gnome, polynomial-c |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://mail.gnome.org/archives/distributor-list/2018-August/msg00001.html | ||
Whiteboard: | A3 [glsa+ cve] | ||
Package list: |
media-libs/fontconfig-2.13.0-r4
x11-libs/pango-1.42.4
|
Runtime testing required: | --- |
Description
GLSAMaker/CVETool Bot
2018-08-20 14:25:55 UTC
From $URL: This prevents and assertion which can be triggered by invalid Unicode sequences. I'll be doing a release with this fix shortly, but since this can crash apps like hexchat or gnome-terminal, it is a good idea to get the patch out as soon as possible. This affects all versions of Pango since color Emoji support was introduced in 1.40.8. Upstream patch: https://gitlab.gnome.org/GNOME/pango/commit/71aaeaf020340412b8d012fe23a556c0420eda5f The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d1edcc424c04a62d7412f9acf027f90b6728a7b5 commit d1edcc424c04a62d7412f9acf027f90b6728a7b5 Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2018-08-20 16:51:57 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2018-08-20 16:52:42 +0000 x11-libs/pango: bump to 1.42.4 Bug: https://bugs.gentoo.org/664108 Package-Manager: Portage-2.3.47, Repoman-2.3.10 x11-libs/pango/Manifest | 1 + x11-libs/pango/files/1.42.4-pango-view.1.in | 113 ++++++++++++++++++++++++++++ x11-libs/pango/pango-1.42.4.ebuild | 65 ++++++++++++++++ 3 files changed, 179 insertions(+) Please stabilize pango-1.42.4 and its newer fontconfig dependency. fontconfig de jure maintainer is not active in fontconfig at all, and the de facto maintainer (Poly-C) signed off on it a week or so ago for future needs. arm64 stable sparc done. amd64 stable x86 stable New GLSA request filed. ia64 stable Stable on alpha. ppc/ppc64 stable arm stable s390 stable hppa project: Please finish stabilization. Security team is releasing GLSA but the users can still install vulnerable version until cleanup. Please stabilize or move package to non-stable / testing. This issue was resolved and addressed in GLSA 201811-07 at https://security.gentoo.org/glsa/201811-07 by GLSA coordinator Thomas Deutschmann (whissi). Re-opening for remaining architecture. hppa stable @maintainer(s), please clean vulnerable. pretty please |