Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 664108 (CVE-2018-15120) - <x11-libs/pango-1.42.4: assertion which can be triggered by invalid Unicode sequences (CVE-2018-15120)
Summary: <x11-libs/pango-1.42.4: assertion which can be triggered by invalid Unicode s...
Alias: CVE-2018-15120
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa+ cve]
Depends on:
Reported: 2018-08-20 14:25 UTC by GLSAMaker/CVETool Bot
Modified: 2019-03-10 14:45 UTC (History)
3 users (show)

See Also:
Package list:
media-libs/fontconfig-2.13.0-r4 x11-libs/pango-1.42.4
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-08-20 14:25:55 UTC
Incoming details.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2018-08-20 14:27:37 UTC
From $URL:

This prevents and assertion which can be triggered by invalid Unicode sequences.

I'll be doing a release with this fix shortly, but since this can crash apps like hexchat
or gnome-terminal, it is a good idea to get the patch out as soon as possible.

This affects all versions of Pango since color Emoji support was introduced in 1.40.8.

Upstream patch:
Comment 2 Larry the Git Cow gentoo-dev 2018-08-20 16:53:13 UTC
The bug has been referenced in the following commit(s):

commit d1edcc424c04a62d7412f9acf027f90b6728a7b5
Author:     Mart Raudsepp <>
AuthorDate: 2018-08-20 16:51:57 +0000
Commit:     Mart Raudsepp <>
CommitDate: 2018-08-20 16:52:42 +0000

    x11-libs/pango: bump to 1.42.4
    Package-Manager: Portage-2.3.47, Repoman-2.3.10

 x11-libs/pango/Manifest                     |   1 +
 x11-libs/pango/files/ | 113 ++++++++++++++++++++++++++++
 x11-libs/pango/pango-1.42.4.ebuild          |  65 ++++++++++++++++
 3 files changed, 179 insertions(+)
Comment 3 Mart Raudsepp gentoo-dev 2018-08-20 17:00:58 UTC
Please stabilize pango-1.42.4 and its newer fontconfig dependency. fontconfig de jure maintainer is not active in fontconfig at all, and the de facto maintainer (Poly-C) signed off on it a week or so ago for future needs.
Comment 4 Mart Raudsepp gentoo-dev 2018-08-21 08:25:47 UTC
arm64 stable
Comment 5 Rolf Eike Beer archtester 2018-08-21 20:22:47 UTC
sparc done.
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-08-22 00:16:09 UTC
amd64 stable
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2018-08-23 01:42:27 UTC
x86 stable
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2018-08-30 12:29:20 UTC
New GLSA request filed.
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2018-09-01 23:44:13 UTC
ia64 stable
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2018-09-14 08:29:21 UTC
Stable on alpha.
Comment 11 Matt Turner gentoo-dev 2018-09-17 21:34:58 UTC
ppc/ppc64 stable
Comment 12 Markus Meier gentoo-dev 2018-09-19 16:59:33 UTC
arm stable
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-10-17 11:18:34 UTC
s390 stable
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2018-11-09 23:04:59 UTC
hppa project:  Please finish stabilization. Security team is releasing GLSA but the users can still install vulnerable version until cleanup. Please stabilize or move package to non-stable / testing.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2018-11-10 00:26:07 UTC
This issue was resolved and addressed in
 GLSA 201811-07 at
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev 2018-11-10 00:26:43 UTC
Re-opening for remaining architecture.
Comment 17 Rolf Eike Beer archtester 2018-11-24 13:02:25 UTC
hppa stable
Comment 18 Aaron Bauman (RETIRED) gentoo-dev 2018-12-01 00:48:51 UTC
@maintainer(s), please clean vulnerable.
Comment 19 Aaron Bauman (RETIRED) gentoo-dev 2019-03-10 05:04:14 UTC
pretty please