Summary: | <x11-libs/pango-1.42.4-r2: Buffer overflow | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Teika kazura <teika> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | gnome, nobrowser |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [glsa+ cve cleanup] | ||
Package list: |
x11-libs/pango-1.42.4-r2
|
Runtime testing required: | --- |
Description
Teika kazura
2019-08-13 23:45:43 UTC
Latest as of today is pango-1.44.4 but we cannot simply bump to pango-1.44.x because it breaks at least x11-libs/pangox-compat package: https://gitlab.gnome.org/Archive/pangox-compat/issues/1 Furthermore it requires the ebuild being rewritten to use meson build system. I suggest to backport the fix instead. Resetting version information in summary because we don't have a fixed version in tree yet. Bumping to 1.44 will also break bitmap-only fonts, which will cause quite the uproar for users that use a gtk-based terminal emulator with such a font. So we'll need some handling of that first for 1.44 (even ~arch I think, let alone stable), e.g. telling how to create a truetype font from the bitmap font or so. Help welcome in that. Meanwhile yes, will need to look at backporting it. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=39892b09bb0b45155d545c6fd9fec43a99ca4ecc commit 39892b09bb0b45155d545c6fd9fec43a99ca4ecc Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2019-08-15 11:30:15 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2019-08-15 11:35:56 +0000 x11-libs/pango: fix CVE-2019-1010238 Bug: https://bugs.gentoo.org/692110 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Mart Raudsepp <leio@gentoo.org> x11-libs/pango/files/1.42.4-CVE-2019-1010238.patch | 34 ++++++++++ x11-libs/pango/pango-1.42.4-r2.ebuild | 72 ++++++++++++++++++++++ 2 files changed, 106 insertions(+) sparc stable arm64 stable x86 stable hppa/ppc/ppc64 stable amd64 stable s390 stable ia64 stable alpha stable arm stable @maintainer, please drop vulnerable. This issue was resolved and addressed in GLSA 201909-03 at https://security.gentoo.org/glsa/201909-03 by GLSA coordinator Thomas Deutschmann (whissi). Re-opening for cleanup. The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aea48b9efe2abf72a1878fda3bd6d9ebdc16d087 commit aea48b9efe2abf72a1878fda3bd6d9ebdc16d087 Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2019-09-07 09:16:14 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2019-09-07 09:16:14 +0000 x11-libs/pango: security cleanup Closes: https://bugs.gentoo.org/692110 Package-Manager: Portage-2.3.69, Repoman-2.3.12 Signed-off-by: Mart Raudsepp <leio@gentoo.org> x11-libs/pango/pango-1.42.4-r1.ebuild | 71 ----------------------------------- x11-libs/pango/pango-1.42.4.ebuild | 66 -------------------------------- 2 files changed, 137 deletions(-) |