svn commit: r542951 - in head/x11-toolkits/pango: . files
Niclas Zeising
zeising at freebsd.org
Sat Sep 26 16:50:22 UTC 2020
On 2020-09-24 20:10, Tobias Kortkamp wrote:
> On Thu, Jul 23, 2020, at 18:34, Jochen Neumeister wrote:
>> Author: joneum
>> Date: Thu Jul 23 18:34:50 2020
>> New Revision: 542951
>> URL: https://svnweb.freebsd.org/changeset/ports/542951
>>
>> Log:
>> SECURITY UPDATE: Buffer overflow
>>
>> Gnome Pango 1.42 and later is affected by: Buffer Overflow. The
>> impact is: The heap based buffer overflow can be used to get code
>> execution. The component is: function name:
>> pango_log2vis_get_embedding_levels, assignment of nchars and the loop
>> condition. The attack vector is: Bug can be used when application pass
>> invalid utf-8 strings to functions like pango_itemize.
>>
>> PR: 239563
>> Reported by: Miyashita Touka <imagin8r at protonmail.com>
>> Approved by: gnome (maintainer timeout)
>> MFH: 2020Q3
>> Security: 456375e1-cd09-11ea-9172-4c72b94353b5
>> Sponsored by: Netzkommune GmbH
>
> The port is still vulnerable: files/CVE-20191010238 has no 'patch-'
> prefix so is never applied by the framework. How did this pass
> review?
This has been fixed in ports r550179, and VuXML has been updated with
the actual version of pango where this got fixed.
Regards
--
Niclas Zeising
More information about the freebsd-desktop
mailing list