From owner-svn-ports-head@freebsd.org Thu Sep 24 18:13:03 2020 Return-Path: Delivered-To: svn-ports-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D7F95424188; Thu, 24 Sep 2020 18:13:03 +0000 (UTC) (envelope-from tobik@FreeBSD.org) Received: from wforward2-smtp.messagingengine.com (wforward2-smtp.messagingengine.com [64.147.123.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4By37M3g5yz3ymH; Thu, 24 Sep 2020 18:13:03 +0000 (UTC) (envelope-from tobik@FreeBSD.org) Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailforward.west.internal (Postfix) with ESMTP id ED0611094; Thu, 24 Sep 2020 14:13:00 -0400 (EDT) Received: from imap1 ([10.202.2.51]) by compute2.internal (MEProxy); Thu, 24 Sep 2020 14:13:01 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=YFC88b yeZbORkfXsGVj2nGi++lGYHDnyXBnLk0QUzyU=; b=mTf3Z2IfWpUAj+sD3NHUr6 LTpGO6Q9tPaUAFIrcup8UUkhBYJiLLt7UGLYzUzEY6g3kjuWwEKQ4Fq1L5K2bbp8 9ZStNu04Hby9mzgj6BYvi4L4UY1XWl+dJCWPJMQ6stZhyZDvlvqqZWZGe97YvjMi m9wzPh0zzxDBIraoM909mkY+hl3fjeKkKdT0J5vMZJU7qA7IfwtClTLpqN7rKmul fSy5ly5WUkFjDLL/HSL6f8nCJjQkyHbOVQl4QhgWoKrpWGQKXnoK1FwXWL67Dit5 iPEwlLUcIdTYnvmzIxGKIxaNrJaZHr/7SU957PTC7a/Su4v/FZcXEaFYtGaphMZg == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrudekgdduvdegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgesthdtredtreertdenucfhrhhomhepfdfvohgs ihgrshcumfhorhhtkhgrmhhpfdcuoehtohgsihhksefhrhgvvgeuufffrdhorhhgqeenuc ggtffrrghtthgvrhhnpeefteegveegffetvdeuffevfeduuefgteeuueeklefhieeitdet feetudfgfeevgeenucffohhmrghinhepfhhrvggvsghsugdrohhrghenucevlhhushhtvg hrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehtohgsihhksefhrhgvvgeu ufffrdhorhhg X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id 5454DC200A5; Thu, 24 Sep 2020 14:13:00 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.3.0-355-g3ece53b-fm-20200922.004-g3ece53b9 Mime-Version: 1.0 Message-Id: <1459968b-5630-4053-9d83-ae4e0f77957c@www.fastmail.com> In-Reply-To: <202007231834.06NIYopt071450@repo.freebsd.org> References: <202007231834.06NIYopt071450@repo.freebsd.org> Date: Thu, 24 Sep 2020 18:10:34 +0000 From: "Tobias Kortkamp" To: "Jochen Neumeister" , ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org, desktop@FreeBSD.org Subject: Re: svn commit: r542951 - in head/x11-toolkits/pango: . files Content-Type: text/plain X-Rspamd-Queue-Id: 4By37M3g5yz3ymH X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [0.00 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; ASN(0.00)[asn:11403, ipnet:64.147.123.0/24, country:US] X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Sep 2020 18:13:03 -0000 On Thu, Jul 23, 2020, at 18:34, Jochen Neumeister wrote: > Author: joneum > Date: Thu Jul 23 18:34:50 2020 > New Revision: 542951 > URL: https://svnweb.freebsd.org/changeset/ports/542951 > > Log: > SECURITY UPDATE: Buffer overflow > > Gnome Pango 1.42 and later is affected by: Buffer Overflow. The > impact is: The heap based buffer overflow can be used to get code > execution. The component is: function name: > pango_log2vis_get_embedding_levels, assignment of nchars and the loop > condition. The attack vector is: Bug can be used when application pass > invalid utf-8 strings to functions like pango_itemize. > > PR: 239563 > Reported by: Miyashita Touka > Approved by: gnome (maintainer timeout) > MFH: 2020Q3 > Security: 456375e1-cd09-11ea-9172-4c72b94353b5 > Sponsored by: Netzkommune GmbH > > Added: > head/x11-toolkits/pango/files/CVE-20191010238 (contents, props changed) > Modified: > head/x11-toolkits/pango/Makefile > > Modified: head/x11-toolkits/pango/Makefile > ============================================================================== > --- head/x11-toolkits/pango/Makefile Thu Jul 23 18:34:47 2020 (r542950) > +++ head/x11-toolkits/pango/Makefile Thu Jul 23 18:34:50 2020 (r542951) > @@ -3,7 +3,7 @@ > > PORTNAME= pango > PORTVERSION= 1.42.4 > -PORTREVISION= 3 > +PORTREVISION= 4 > CATEGORIES= x11-toolkits > MASTER_SITES= GNOME > DIST_SUBDIR= gnome2 > > Added: head/x11-toolkits/pango/files/CVE-20191010238 > ============================================================================== > --- /dev/null 00:00:00 1970 (empty, because file is newly added) > +++ head/x11-toolkits/pango/files/CVE-20191010238 Thu Jul 23 18:34:50 > 2020 (r542951) > @@ -0,0 +1,16 @@ > +--- ../pango/pango-bidi-type.c.orig 2020-07-23 19:10:14.338937000 +0200 > ++++ ../pango/pango-bidi-type.c 2020-07-23 19:12:15.511836000 +0200 > +@@ -179,8 +179,11 @@ pango_log2vis_get_embedding_levels (const gchar > *te > + for (i = 0, p = text; p < text + length; p = g_utf8_next_char(p), > i++) > + { > + gunichar ch = g_utf8_get_char (p); > +- FriBidiCharType char_type; > +- char_type = fribidi_get_bidi_type (ch); > ++ FriBidiCharType char_type = fribidi_get_bidi_type (ch); > ++ > ++ if (i == n_chars) > ++ break; > ++ > + bidi_types[i] = char_type; > + ored_types |= char_type; > + if (FRIBIDI_IS_STRONG (char_type)) The port is still vulnerable: files/CVE-20191010238 has no 'patch-' prefix so is never applied by the framework. How did this pass review?