Bug 231034

Summary: x11-toolkits/pango: Denial of Service fix
Product: Ports & Packages Reporter: Stephen Hurd <shurd>
Component: Individual Port(s)Assignee: Steve Wills <swills>
Status: Closed Overcome By Events    
Severity: Affects Many People CC: kwm, swills
Priority: --- Flags: bugzilla: maintainer-feedback? (gnome)
Version: Latest   
Hardware: Any   
OS: Any   
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229761
Attachments:
Description Flags
Upstream patch for DoS attach none

Description Stephen Hurd freebsd_committer freebsd_triage 2018-08-30 20:19:47 UTC 
Created attachment 196719 [details]
Upstream patch for DoS attach

CVS-2018-15120: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15120

Patch here: https://gitlab.gnome.org/GNOME/pango/commit/71aaeaf020340412b8d012fe23a556c0420eda5f

Add this file to the files directory to apply the fix.
Comment 1 Steve Wills freebsd_committer freebsd_triage 2018-09-02 18:47:43 UTC 
FWIW, BZ 229761 has an update to pango 1.42.1, but based on the CVE it needs to update to 1.42.4.
Comment 2 Steve Wills freebsd_committer freebsd_triage 2018-10-01 14:12:22 UTC 
Maybe we should go ahead and direct commit this to the quarterly branch so this issue is fixed for pkg users between now and when the next quarterly branch comes out? I'm willing to do the work. Koop, does that sound OK to you?
Comment 3 Steve Wills freebsd_committer freebsd_triage 2018-10-01 14:30:31 UTC 
(In reply to Steve Wills from comment #2)
Wait, sorry, the Gnome 3.28 update went in just before the 2018Q4 quarterly branch was created, so I think we're good on this now.