Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 692110 (CVE-2019-1010238)

Summary: <x11-libs/pango-1.42.4-r2: Buffer overflow
Product: Gentoo Security Reporter: Teika kazura <teika>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: gnome, nobrowser
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa+ cve cleanup]
Package list:
x11-libs/pango-1.42.4-r2
Runtime testing required: ---

Description Teika kazura 2019-08-13 23:45:43 UTC
Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is: The heap based buffer overflow can be used to get code execution. The component is: function name: pango_log2vis_get_embedding_levels, assignment of nchars and the loop condition. The attack vector is: Bug can be used when application pass invalid utf-8 strings to functions like pango_itemize.

According to NVD, the affected versions are from 1.42.0 (incl) to 1.43.0 (incl).

The upstream fix is there: https://gitlab.gnome.org/GNOME/pango/commit/490f8979a260c16b1df055eab386345da18a2d54

Debian entry: https://security-tracker.debian.org/tracker/CVE-2019-1010238
NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-1010238

The latest Pango version is 1.44.3 as of today. Notice it depends on >=Glib-2.59.2 which is not stabilized yet.

Best regards.
Comment 1 Lars Wendler (Polynomial-C) gentoo-dev 2019-08-14 00:06:21 UTC
Latest as of today is pango-1.44.4 but we cannot simply bump to pango-1.44.x because it breaks at least x11-libs/pangox-compat package: 
https://gitlab.gnome.org/Archive/pangox-compat/issues/1

Furthermore it requires the ebuild being rewritten to use meson build system.

I suggest to backport the fix instead.
Comment 2 Lars Wendler (Polynomial-C) gentoo-dev 2019-08-14 06:00:03 UTC
Resetting version information in summary because we don't have a fixed version in tree yet.
Comment 3 Mart Raudsepp gentoo-dev 2019-08-14 14:28:33 UTC
Bumping to 1.44 will also break bitmap-only fonts, which will cause quite the uproar for users that use a gtk-based terminal emulator with such a font. So we'll need some handling of that first for 1.44 (even ~arch I think, let alone stable), e.g. telling how to create a truetype font from the bitmap font or so. Help welcome in that. Meanwhile yes, will need to look at backporting it.
Comment 4 Larry the Git Cow gentoo-dev 2019-08-15 11:36:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=39892b09bb0b45155d545c6fd9fec43a99ca4ecc

commit 39892b09bb0b45155d545c6fd9fec43a99ca4ecc
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2019-08-15 11:30:15 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2019-08-15 11:35:56 +0000

    x11-libs/pango: fix CVE-2019-1010238
    
    Bug: https://bugs.gentoo.org/692110
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 x11-libs/pango/files/1.42.4-CVE-2019-1010238.patch | 34 ++++++++++
 x11-libs/pango/pango-1.42.4-r2.ebuild              | 72 ++++++++++++++++++++++
 2 files changed, 106 insertions(+)
Comment 5 Rolf Eike Beer 2019-08-15 18:59:49 UTC
sparc stable
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-08-16 19:46:38 UTC
arm64 stable
Comment 7 Thomas Deutschmann gentoo-dev Security 2019-08-16 22:39:53 UTC
x86 stable
Comment 8 Sergei Trofimovich gentoo-dev 2019-08-17 20:53:39 UTC
hppa/ppc/ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-08-18 21:52:27 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2019-08-23 10:00:55 UTC
s390 stable
Comment 11 Agostino Sarubbo gentoo-dev 2019-08-23 12:52:54 UTC
ia64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2019-08-23 13:28:56 UTC
alpha stable
Comment 13 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-09-01 18:24:49 UTC
arm stable
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-09-02 22:31:50 UTC
@maintainer, please drop vulnerable.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2019-09-06 16:17:12 UTC
This issue was resolved and addressed in
 GLSA 201909-03 at https://security.gentoo.org/glsa/201909-03
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 16 Thomas Deutschmann gentoo-dev Security 2019-09-06 16:17:46 UTC
Re-opening for cleanup.
Comment 17 Larry the Git Cow gentoo-dev 2019-09-07 09:16:34 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aea48b9efe2abf72a1878fda3bd6d9ebdc16d087

commit aea48b9efe2abf72a1878fda3bd6d9ebdc16d087
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2019-09-07 09:16:14 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2019-09-07 09:16:14 +0000

    x11-libs/pango: security cleanup
    
    Closes: https://bugs.gentoo.org/692110
    Package-Manager: Portage-2.3.69, Repoman-2.3.12
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 x11-libs/pango/pango-1.42.4-r1.ebuild | 71 -----------------------------------
 x11-libs/pango/pango-1.42.4.ebuild    | 66 --------------------------------
 2 files changed, 137 deletions(-)