Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 14 Feb 2011 10:35:05 +0100
From:      Jan Henrik Sylvester <me@janh.de>
To:        Matthias Andree <matthias.andree@gmx.de>, Tom Uffner <tom@uffner.com>
Cc:        Tony Sim <y2s1982@gmail.com>, ports-list freebsd <freebsd-ports@freebsd.org>
Subject:   Re: fixing the vulnerability in linux-f10-pango-1.22.3_1
Message-ID:  <4D58F749.1000106@janh.de>
In-Reply-To: <4D5880EF.4020002@gmx.de>
References:  <4D5852F7.2010106@uffner.com> <4D5880EF.4020002@gmx.de>

next in thread | previous in thread | raw e-mail | index | archive | help
On 01/-10/-28163 20:59, Matthias Andree wrote:
> Am 13.02.2011 22:53, schrieb Tom Uffner:
>> is there any point in trying to update linux-f10-pango to address this
>> vulnerability?
>>
>> Affected package: linux-f10-pango-1.22.3_1
>> Type of problem: pango -- integer overflow.
>> Reference:
>> <http://portaudit.FreeBSD.org/4b172278-3f46-11de-becb-001cc0377035.html>;
>>
>> I realize that I can install it w/ DISABLE_VULNERABILITIES. but I hate
>> having known exploits on my system&  not installing it breaks flashplugin
>> and acroread (among others).
>>
>> I've never tried to create or modify a linux emulation port before; so I'm
>> wondering just how annoying&  tedious it's going to be?
>>
>> it looks like there are no Fedora 10 RPMs of pango>  1.24 so it would
>> probably involve finding an F10 box and building one from source.
>
> Fedora 10 hasn't been supported for over a year now (EOL Mid December
> 2009), chances are, however, that newer versions of the system can build
> an RPM that would fit F10.
>
> There are online build services (for instance by/for openSUSE, starts
> with Fedora 12 however), if you find a release that is close enough in
> other shared library versions, that might help.
>
> Backporting just a security fix, if a reliable and reasonable patch
> exists, might be an easier option because you can take F10's 1.22.3
> *source* RPM, add the security patch, and rebuild (see below).

This is how far I have looked into it: RHEL/CentOS 5 has an even older 
version of pango. Of course, there is a patch for that vulnerability in 
the src-rpm of RHEL 5. If you use --ignore-whitespace for patch, the 
RHEL 5 patch applies to the pango version in Fedora 10. Except for 
whitespace changes, the code in question has not changed much between 
the RHEL 5 and the Fedora 10 version. Probably, the patch fixes the 
vulnerability for us, too.

The easiest way would probably be:

- Take the src-rpm of the pango version in RHEL 5.
- Extract the patch from it: pango-glyphstring.patch-1.14.9-5.el5_3
- Extract the src-rpm of pango-1.22.3 from Fedora 10.
- Apply the RHEL 5 patch with --ignore-whitespace.
- Diff for creating a patch that applies without --ignore-whitespace.
- Bump version number and repackge a src-rpm for Fedora 10 with the new 
patch.
- Build it on a clean Fedora 10 system.

There is one more problem to solve: 
http://lists.freebsd.org/pipermail/freebsd-emulation/2010-December/008264.html

That mail go unanswered (at least as far as the mailing list archive 
goes). Probably, the procedure above would have to be put into a shell 
script for a willing commiter to repeat. Every time this vulnerability 
comes up at ports@ or emulation@, some commitor ask for a (trusted) rpm 
to fix it. Thus, there might be one.

For me, the real question is: Considering the age of Fedora 10 and the 
time it has not been supported anymore, it is likely that there are more 
vulnerabilities in our Linux-f10 framework that are not documented in 
our vulnerability database. Does fixing the pango vulnerability really 
make the Linux emulation save? (Is it worse the it?)

Cheers,
Jan Henrik



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D58F749.1000106>