231034 – x11-toolkits/pango: Denial of Service fix

Bug 231034 - x11-toolkits/pango: Denial of Service fix

Summary: x11-toolkits/pango: Denial of Service fix

Status:	Closed Overcome By Events

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Many People
Assignee:	Steve Wills

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-08-30 20:19 UTC by Stephen Hurd
Modified:	2018-10-01 14:30 UTC (History)
CC List:	2 users (show)

See Also:	229761

Flags:	bugzilla: maintainer-feedback? (gnome)

Attachments
Upstream patch for DoS attach (556 bytes, text/plain) 2018-08-30 20:19 UTC, Stephen Hurd	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stephen Hurd freebsd_committer

2018-08-30 20:19:47 UTC

Created attachment 196719 [details]
Upstream patch for DoS attach

CVS-2018-15120: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15120

Patch here: https://gitlab.gnome.org/GNOME/pango/commit/71aaeaf020340412b8d012fe23a556c0420eda5f

Add this file to the files directory to apply the fix.

Comment 1 Steve Wills freebsd_committer

2018-09-02 18:47:43 UTC

FWIW, BZ 229761 has an update to pango 1.42.1, but based on the CVE it needs to update to 1.42.4.

Comment 2 Steve Wills freebsd_committer

2018-10-01 14:12:22 UTC

Maybe we should go ahead and direct commit this to the quarterly branch so this issue is fixed for pkg users between now and when the next quarterly branch comes out? I'm willing to do the work. Koop, does that sound OK to you?

Comment 3 Steve Wills freebsd_committer

2018-10-01 14:30:31 UTC

(In reply to Steve Wills from comment #2)
Wait, sorry, the Gnome 3.28 update went in just before the 2018Q4 quarterly branch was created, so I think we're good on this now.