The pango port needs a security update. See: https://ftp.gnome.org/pub/GNOME/sources/pango/1.44/ and https://launchpad.net/ubuntu/+source/pango1.0/1.42.4-6ubuntu0.1
Created attachment 206202 [details] CVE-2019-1010238
Anyone able to commit this security fix with a revision bump?
Still vulnerable, months after submission.
i add myself as a ports-secteam member so that i can investigate this PR later :-)
A commit references this bug: Author: joneum Date: Thu Jul 23 18:34:50 UTC 2020 New revision: 542951 URL: https://svnweb.freebsd.org/changeset/ports/542951 Log: SECURITY UPDATE: Buffer overflow Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is: The heap based buffer overflow can be used to get code execution. The component is: function name: pango_log2vis_get_embedding_levels, assignment of nchars and the loop condition. The attack vector is: Bug can be used when application pass invalid utf-8 strings to functions like pango_itemize. PR: 239563 Reported by: Miyashita Touka <imagin8r@protonmail.com> Approved by: gnome (maintainer timeout) MFH: 2020Q3 Security: 456375e1-cd09-11ea-9172-4c72b94353b5 Sponsored by: Netzkommune GmbH Changes: head/x11-toolkits/pango/Makefile head/x11-toolkits/pango/files/CVE-20191010238
A commit references this bug: Author: joneum Date: Thu Jul 23 18:36:07 UTC 2020 New revision: 542952 URL: https://svnweb.freebsd.org/changeset/ports/542952 Log: MFH: r542951 SECURITY UPDATE: Buffer overflow Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is: The heap based buffer overflow can be used to get code execution. The component is: function name: pango_log2vis_get_embedding_levels, assignment of nchars and the loop condition. The attack vector is: Bug can be used when application pass invalid utf-8 strings to functions like pango_itemize. PR: 239563 Reported by: Miyashita Touka <imagin8r@protonmail.com> Approved by: gnome (maintainer timeout) Security: 456375e1-cd09-11ea-9172-4c72b94353b5 Sponsored by: Netzkommune GmbH Approved by: ports-secteam (with hat) Changes: _U branches/2020Q3/ branches/2020Q3/x11-toolkits/pango/Makefile branches/2020Q3/x11-toolkits/pango/files/CVE-20191010238