From owner-freebsd-ports@FreeBSD.ORG Mon Feb 14 17:47:39 2011 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 04E19106564A for ; Mon, 14 Feb 2011 17:47:39 +0000 (UTC) (envelope-from luchesar.iliev@gmail.com) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id AC16A8FC13 for ; Mon, 14 Feb 2011 17:47:38 +0000 (UTC) Received: by qwj9 with SMTP id 9so3209457qwj.13 for ; Mon, 14 Feb 2011 09:47:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=4TP4d2md5xPFfg484+DiVHrudjWoKze6TP2rDVADb3Q=; b=l9AKnbhSQBHInzbKGwIpRsYbacsipXXpe6BiyN7CD5o/UUI0ZW4P+FUPEyGNvOifay M2mjeXXYctfk8g65/BoonMgbRLcGX0XZBoIl1wSppfxArIPHXGpVlMNauTnAex6g5twY PPfGuha86RYe9da9MxsIfS470sHdTAKN8PXKI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=EfbOAhTj6Dv9qWId7GC4+wITrjj27CQVfY2i3i2BgGWdT0nZ8Pmb6V303dvyEI9/O0 3vekvS0H4J3Mk1/82LrB5eOVEWY4Lrb2LVjNgGAdYe65ORqzW/l5jFUajdURQAqKIbPh x2ojprdnt0HvjRN0NQDChq5AcZkl+7GQ8PXeY= Received: by 10.229.95.211 with SMTP id e19mr3103568qcn.53.1297704120743; Mon, 14 Feb 2011 09:22:00 -0800 (PST) MIME-Version: 1.0 Received: by 10.229.106.83 with HTTP; Mon, 14 Feb 2011 09:21:40 -0800 (PST) In-Reply-To: <4D595C3A.3060808@uffner.com> References: <4D5852F7.2010106@uffner.com> <4D5880EF.4020002@gmx.de> <4D58F749.1000106@janh.de> <4D595C3A.3060808@uffner.com> From: "Luchesar V. ILIEV" Date: Mon, 14 Feb 2011 19:21:40 +0200 Message-ID: To: Tom Uffner Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: Jan Henrik Sylvester , freebsd-ports@freebsd.org Subject: Re: fixing the vulnerability in linux-f10-pango-1.22.3_1 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Feb 2011 17:47:39 -0000 On Mon, Feb 14, 2011 at 18:45, Tom Uffner wrote: > Jan Henrik Sylvester wrote: > >> The easiest way would probably be: >> >> - Take the src-rpm of the pango version in RHEL 5. >> - Extract the patch from it: pango-glyphstring.patch-1.14.9-5.el5_3 >> - Extract the src-rpm of pango-1.22.3 from Fedora 10. >> - Apply the RHEL 5 patch with --ignore-whitespace. >> - Diff for creating a patch that applies without --ignore-whitespace. >> - Bump version number and repackge a src-rpm for Fedora 10 with the new >> patch. >> - Build it on a clean Fedora 10 system. >> >> There is one more problem to solve: >> >> http://lists.freebsd.org/pipermail/freebsd-emulation/2010-December/00826= 4.html >> >> That mail go unanswered (at least as far as the mailing list archive >> goes). Probably, the procedure above would have to be put into a shell >> script for a willing commiter to repeat. Every time this vulnerability >> comes up at ports@ or emulation@, some commitor ask for a (trusted) rpm >> to fix it. Thus, there might be one. > > Peter Littmann's RPMs probably won't work for me since i'm looking for > 9-current amd64. > > would a src-rpm verifiably generated from the Fedora 10 src-rpm (or > the pango project tarball) and the RHEL 5 patch solve this? I may not > have a "Reputation", but I've been around since 4.1BSD and a search > of the tree and the PRs will turn up a few bugfixes that I've submitted. > > tom Most likely you've already noticed my efforts in this matter, but let me still mention them: http://lists.freebsd.org/pipermail/freebsd-emulation/2010-December/008285.h= tml http://lists.freebsd.org/pipermail/freebsd-emulation/2010-December/008295.h= tml http://lists.freebsd.org/pipermail/freebsd-emulation/2010-December/008296.h= tml Sadly, I'm still struggling to find enough time to prepare for and apply for ports committer (I'm afraid that while I might be known around the academic security community and projects like the European G=C3=89ANT, that's not the case with FreeBSD), but that's irrelevant now, anyway. Of course, anyone who feels not particularly security concerned could still use the patches for the ports tree provided in the first mail (I do keep the relevant distfiles online). The step-by-step description in the second set of mails could hopefully be helpful for someone whom the community would trust to build an RPM. I do realize it's way too detailed and long, so I was indeed thinking about preparing a shorter version these days -- especially now that the Flash update brings the issue with linux-pango again. Please let me know if I could be of help somehow. Cheers, Luchesar