From owner-freebsd-ports@FreeBSD.ORG Mon Feb 14 09:35:24 2011 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5FD1D106564A for ; Mon, 14 Feb 2011 09:35:24 +0000 (UTC) (envelope-from me@janh.de) Received: from mailhost.uni-hamburg.de (mailhost.uni-hamburg.de [134.100.32.155]) by mx1.freebsd.org (Postfix) with ESMTP id DCDEB8FC0A for ; Mon, 14 Feb 2011 09:35:20 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mailhost.uni-hamburg.de (Postfix) with ESMTP id 114399003D; Mon, 14 Feb 2011 10:35:19 +0100 (CET) X-Virus-Scanned: by University of Hamburg (RRZ/mailhost) Received: from mailhost.uni-hamburg.de ([127.0.0.1]) by localhost (mailhost.uni-hamburg.de [127.0.0.1]) (amavisd-new, port 10024) with LMTP id dMQz09Ti-FT3; Mon, 14 Feb 2011 10:35:18 +0100 (CET) Received: from nb981.math (g224005088.adsl.alicedsl.de [92.224.5.88]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: fmjv004) by mailhost.uni-hamburg.de (Postfix) with ESMTPSA id 806A090007; Mon, 14 Feb 2011 10:35:18 +0100 (CET) Message-ID: <4D58F749.1000106@janh.de> Date: Mon, 14 Feb 2011 10:35:05 +0100 From: Jan Henrik Sylvester User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.13) Gecko/20110209 Thunderbird/3.1.7 MIME-Version: 1.0 To: Matthias Andree , Tom Uffner References: <4D5852F7.2010106@uffner.com> <4D5880EF.4020002@gmx.de> In-Reply-To: <4D5880EF.4020002@gmx.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Tony Sim , ports-list freebsd Subject: Re: fixing the vulnerability in linux-f10-pango-1.22.3_1 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Feb 2011 09:35:24 -0000 On 01/-10/-28163 20:59, Matthias Andree wrote: > Am 13.02.2011 22:53, schrieb Tom Uffner: >> is there any point in trying to update linux-f10-pango to address this >> vulnerability? >> >> Affected package: linux-f10-pango-1.22.3_1 >> Type of problem: pango -- integer overflow. >> Reference: >> >> >> I realize that I can install it w/ DISABLE_VULNERABILITIES. but I hate >> having known exploits on my system& not installing it breaks flashplugin >> and acroread (among others). >> >> I've never tried to create or modify a linux emulation port before; so I'm >> wondering just how annoying& tedious it's going to be? >> >> it looks like there are no Fedora 10 RPMs of pango> 1.24 so it would >> probably involve finding an F10 box and building one from source. > > Fedora 10 hasn't been supported for over a year now (EOL Mid December > 2009), chances are, however, that newer versions of the system can build > an RPM that would fit F10. > > There are online build services (for instance by/for openSUSE, starts > with Fedora 12 however), if you find a release that is close enough in > other shared library versions, that might help. > > Backporting just a security fix, if a reliable and reasonable patch > exists, might be an easier option because you can take F10's 1.22.3 > *source* RPM, add the security patch, and rebuild (see below). This is how far I have looked into it: RHEL/CentOS 5 has an even older version of pango. Of course, there is a patch for that vulnerability in the src-rpm of RHEL 5. If you use --ignore-whitespace for patch, the RHEL 5 patch applies to the pango version in Fedora 10. Except for whitespace changes, the code in question has not changed much between the RHEL 5 and the Fedora 10 version. Probably, the patch fixes the vulnerability for us, too. The easiest way would probably be: - Take the src-rpm of the pango version in RHEL 5. - Extract the patch from it: pango-glyphstring.patch-1.14.9-5.el5_3 - Extract the src-rpm of pango-1.22.3 from Fedora 10. - Apply the RHEL 5 patch with --ignore-whitespace. - Diff for creating a patch that applies without --ignore-whitespace. - Bump version number and repackge a src-rpm for Fedora 10 with the new patch. - Build it on a clean Fedora 10 system. There is one more problem to solve: http://lists.freebsd.org/pipermail/freebsd-emulation/2010-December/008264.html That mail go unanswered (at least as far as the mailing list archive goes). Probably, the procedure above would have to be put into a shell script for a willing commiter to repeat. Every time this vulnerability comes up at ports@ or emulation@, some commitor ask for a (trusted) rpm to fix it. Thus, there might be one. For me, the real question is: Considering the age of Fedora 10 and the time it has not been supported anymore, it is likely that there are more vulnerabilities in our Linux-f10 framework that are not documented in our vulnerability database. Does fixing the pango vulnerability really make the Linux emulation save? (Is it worse the it?) Cheers, Jan Henrik