Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 14 Feb 2011 11:45:46 -0500
From:      Tom Uffner <tom@uffner.com>
To:        freebsd-ports@freebsd.org
Cc:        Jan Henrik Sylvester <me@janh.de>
Subject:   Re: fixing the vulnerability in linux-f10-pango-1.22.3_1
Message-ID:  <4D595C3A.3060808@uffner.com>
In-Reply-To: <4D58F749.1000106@janh.de>
References:  <4D5852F7.2010106@uffner.com> <4D5880EF.4020002@gmx.de> <4D58F749.1000106@janh.de>

next in thread | previous in thread | raw e-mail | index | archive | help
Jan Henrik Sylvester wrote:

> The easiest way would probably be:
>
> - Take the src-rpm of the pango version in RHEL 5.
> - Extract the patch from it: pango-glyphstring.patch-1.14.9-5.el5_3
> - Extract the src-rpm of pango-1.22.3 from Fedora 10.
> - Apply the RHEL 5 patch with --ignore-whitespace.
> - Diff for creating a patch that applies without --ignore-whitespace.
> - Bump version number and repackge a src-rpm for Fedora 10 with the new
> patch.
> - Build it on a clean Fedora 10 system.
>
> There is one more problem to solve:
> http://lists.freebsd.org/pipermail/freebsd-emulation/2010-December/008264.html
>
> That mail go unanswered (at least as far as the mailing list archive
> goes). Probably, the procedure above would have to be put into a shell
> script for a willing commiter to repeat. Every time this vulnerability
> comes up at ports@ or emulation@, some commitor ask for a (trusted) rpm
> to fix it. Thus, there might be one.

Peter Littmann's RPMs probably won't work for me since i'm looking for
9-current amd64.

would a src-rpm verifiably generated from the Fedora 10 src-rpm (or
the pango project tarball) and the RHEL 5 patch solve this? I may not
have a "Reputation", but I've been around since 4.1BSD and a search
of the tree and the PRs will turn up a few bugfixes that I've submitted.

tom



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D595C3A.3060808>