Bug 231034 - x11-toolkits/pango: Denial of Service fix
Summary: x11-toolkits/pango: Denial of Service fix
Status: Closed Overcome By Events
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Steve Wills
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-30 20:19 UTC by Stephen Hurd
Modified: 2018-10-01 14:30 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (gnome)


Attachments
Upstream patch for DoS attach (556 bytes, text/plain)
2018-08-30 20:19 UTC, Stephen Hurd
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stephen Hurd freebsd_committer 2018-08-30 20:19:47 UTC
Created attachment 196719 [details]
Upstream patch for DoS attach

CVS-2018-15120: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15120

Patch here: https://gitlab.gnome.org/GNOME/pango/commit/71aaeaf020340412b8d012fe23a556c0420eda5f

Add this file to the files directory to apply the fix.
Comment 1 Steve Wills freebsd_committer 2018-09-02 18:47:43 UTC
FWIW, BZ 229761 has an update to pango 1.42.1, but based on the CVE it needs to update to 1.42.4.
Comment 2 Steve Wills freebsd_committer 2018-10-01 14:12:22 UTC
Maybe we should go ahead and direct commit this to the quarterly branch so this issue is fixed for pkg users between now and when the next quarterly branch comes out? I'm willing to do the work. Koop, does that sound OK to you?
Comment 3 Steve Wills freebsd_committer 2018-10-01 14:30:31 UTC
(In reply to Steve Wills from comment #2)
Wait, sorry, the Gnome 3.28 update went in just before the 2018Q4 quarterly branch was created, so I think we're good on this now.