On 2020-09-24 20:10, Tobias Kortkamp wrote:
On Thu, Jul 23, 2020, at 18:34, Jochen Neumeister wrote:
Author: joneum
Date: Thu Jul 23 18:34:50 2020
New Revision: 542951
URL: https://svnweb.freebsd.org/changeset/ports/542951
Log:
SECURITY UPDATE: Buffer overflow
Gnome Pango 1.42 and later is affected by: Buffer Overflow. The
impact is: The heap based buffer overflow can be used to get code
execution. The component is: function name:
pango_log2vis_get_embedding_levels, assignment of nchars and the loop
condition. The attack vector is: Bug can be used when application pass
invalid utf-8 strings to functions like pango_itemize.
PR: 239563
Reported by: Miyashita Touka <[email protected]>
Approved by: gnome (maintainer timeout)
MFH: 2020Q3
Security: 456375e1-cd09-11ea-9172-4c72b94353b5
Sponsored by: Netzkommune GmbH
The port is still vulnerable: files/CVE-20191010238 has no 'patch-'
prefix so is never applied by the framework. How did this pass
review?
This has been fixed in ports r550179, and VuXML has been updated with
the actual version of pango where this got fixed.
Regards
--
Niclas Zeising
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-desktop
To unsubscribe, send any mail to "[email protected]"
