Date: Mon, 14 Feb 2011 10:35:05 +0100 From: Jan Henrik Sylvester <me@janh.de> To: Matthias Andree <matthias.andree@gmx.de>, Tom Uffner <tom@uffner.com> Cc: Tony Sim <y2s1982@gmail.com>, ports-list freebsd <freebsd-ports@freebsd.org> Subject: Re: fixing the vulnerability in linux-f10-pango-1.22.3_1 Message-ID: <4D58F749.1000106@janh.de> In-Reply-To: <4D5880EF.4020002@gmx.de> References: <4D5852F7.2010106@uffner.com> <4D5880EF.4020002@gmx.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On 01/-10/-28163 20:59, Matthias Andree wrote: > Am 13.02.2011 22:53, schrieb Tom Uffner: >> is there any point in trying to update linux-f10-pango to address this >> vulnerability? >> >> Affected package: linux-f10-pango-1.22.3_1 >> Type of problem: pango -- integer overflow. >> Reference: >> <http://portaudit.FreeBSD.org/4b172278-3f46-11de-becb-001cc0377035.html>; >> >> I realize that I can install it w/ DISABLE_VULNERABILITIES. but I hate >> having known exploits on my system& not installing it breaks flashplugin >> and acroread (among others). >> >> I've never tried to create or modify a linux emulation port before; so I'm >> wondering just how annoying& tedious it's going to be? >> >> it looks like there are no Fedora 10 RPMs of pango> 1.24 so it would >> probably involve finding an F10 box and building one from source. > > Fedora 10 hasn't been supported for over a year now (EOL Mid December > 2009), chances are, however, that newer versions of the system can build > an RPM that would fit F10. > > There are online build services (for instance by/for openSUSE, starts > with Fedora 12 however), if you find a release that is close enough in > other shared library versions, that might help. > > Backporting just a security fix, if a reliable and reasonable patch > exists, might be an easier option because you can take F10's 1.22.3 > *source* RPM, add the security patch, and rebuild (see below). This is how far I have looked into it: RHEL/CentOS 5 has an even older version of pango. Of course, there is a patch for that vulnerability in the src-rpm of RHEL 5. If you use --ignore-whitespace for patch, the RHEL 5 patch applies to the pango version in Fedora 10. Except for whitespace changes, the code in question has not changed much between the RHEL 5 and the Fedora 10 version. Probably, the patch fixes the vulnerability for us, too. The easiest way would probably be: - Take the src-rpm of the pango version in RHEL 5. - Extract the patch from it: pango-glyphstring.patch-1.14.9-5.el5_3 - Extract the src-rpm of pango-1.22.3 from Fedora 10. - Apply the RHEL 5 patch with --ignore-whitespace. - Diff for creating a patch that applies without --ignore-whitespace. - Bump version number and repackge a src-rpm for Fedora 10 with the new patch. - Build it on a clean Fedora 10 system. There is one more problem to solve: http://lists.freebsd.org/pipermail/freebsd-emulation/2010-December/008264.html That mail go unanswered (at least as far as the mailing list archive goes). Probably, the procedure above would have to be put into a shell script for a willing commiter to repeat. Every time this vulnerability comes up at ports@ or emulation@, some commitor ask for a (trusted) rpm to fix it. Thus, there might be one. For me, the real question is: Considering the age of Fedora 10 and the time it has not been supported anymore, it is likely that there are more vulnerabilities in our Linux-f10 framework that are not documented in our vulnerability database. Does fixing the pango vulnerability really make the Linux emulation save? (Is it worse the it?) Cheers, Jan Henrik
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D58F749.1000106>