svn commit: r542951 - in head/x11-toolkits/pango: . files

Thu Sep 24 18:13:04 UTC 2020

On Thu, Jul 23, 2020, at 18:34, Jochen Neumeister wrote:
> Author: joneum
> Date: Thu Jul 23 18:34:50 2020
> New Revision: 542951
> URL: https://svnweb.freebsd.org/changeset/ports/542951
> 
> Log:
>   SECURITY UPDATE: Buffer overflow
>   
>   Gnome Pango 1.42 and later is affected by: Buffer Overflow. The 
> impact is: The heap based buffer overflow can be used to get code 
> execution. The component is: function name: 
> pango_log2vis_get_embedding_levels, assignment of nchars and the loop 
> condition. The attack vector is: Bug can be used when application pass 
> invalid utf-8 strings to functions like pango_itemize.
>   
>   PR:		239563
>   Reported by:	Miyashita Touka <imagin8r at protonmail.com>
>   Approved by:	gnome (maintainer timeout)
>   MFH:		2020Q3
>   Security:	456375e1-cd09-11ea-9172-4c72b94353b5
>   Sponsored by:	Netzkommune GmbH
> 
> Added:
>   head/x11-toolkits/pango/files/CVE-20191010238   (contents, props changed)
> Modified:
>   head/x11-toolkits/pango/Makefile
> 
> Modified: head/x11-toolkits/pango/Makefile
> ==============================================================================
> --- head/x11-toolkits/pango/Makefile	Thu Jul 23 18:34:47 2020	(r542950)
> +++ head/x11-toolkits/pango/Makefile	Thu Jul 23 18:34:50 2020	(r542951)
> @@ -3,7 +3,7 @@
>  
>  PORTNAME=	pango
>  PORTVERSION=	1.42.4
> -PORTREVISION=	3
> +PORTREVISION=	4
>  CATEGORIES=	x11-toolkits
>  MASTER_SITES=	GNOME
>  DIST_SUBDIR=	gnome2
> 
> Added: head/x11-toolkits/pango/files/CVE-20191010238
> ==============================================================================
> --- /dev/null	00:00:00 1970	(empty, because file is newly added)
> +++ head/x11-toolkits/pango/files/CVE-20191010238	Thu Jul 23 18:34:50 
> 2020	(r542951)
> @@ -0,0 +1,16 @@
> +--- ../pango/pango-bidi-type.c.orig	2020-07-23 19:10:14.338937000 +0200
> ++++ ../pango/pango-bidi-type.c	2020-07-23 19:12:15.511836000 +0200
> +@@ -179,8 +179,11 @@ pango_log2vis_get_embedding_levels (const gchar   
>  *te
> +   for (i = 0, p = text; p < text + length; p = g_utf8_next_char(p), 
> i++)
> +     {
> +       gunichar ch = g_utf8_get_char (p);
> +-      FriBidiCharType char_type;
> +-      char_type = fribidi_get_bidi_type (ch);
> ++	  FriBidiCharType char_type = fribidi_get_bidi_type (ch);
> ++		  
> ++	  	if (i == n_chars)
> ++			break;
> ++
> +       bidi_types[i] = char_type;
> +       ored_types |= char_type;
> +       if (FRIBIDI_IS_STRONG (char_type))

The port is still vulnerable: files/CVE-20191010238 has no 'patch-'
prefix so is never applied by the framework.  How did this pass
review?