fixing the vulnerability in linux-f10-pango-1.22.3_1
Jan Henrik Sylvester
me at janh.de
Mon Feb 14 09:35:24 UTC 2011
On 01/-10/-28163 20:59, Matthias Andree wrote:
> Am 13.02.2011 22:53, schrieb Tom Uffner:
>> is there any point in trying to update linux-f10-pango to address this
>> Affected package: linux-f10-pango-1.22.3_1
>> Type of problem: pango -- integer overflow.
>> I realize that I can install it w/ DISABLE_VULNERABILITIES. but I hate
>> having known exploits on my system& not installing it breaks flashplugin
>> and acroread (among others).
>> I've never tried to create or modify a linux emulation port before; so I'm
>> wondering just how annoying& tedious it's going to be?
>> it looks like there are no Fedora 10 RPMs of pango> 1.24 so it would
>> probably involve finding an F10 box and building one from source.
> Fedora 10 hasn't been supported for over a year now (EOL Mid December
> 2009), chances are, however, that newer versions of the system can build
> an RPM that would fit F10.
> There are online build services (for instance by/for openSUSE, starts
> with Fedora 12 however), if you find a release that is close enough in
> other shared library versions, that might help.
> Backporting just a security fix, if a reliable and reasonable patch
> exists, might be an easier option because you can take F10's 1.22.3
> *source* RPM, add the security patch, and rebuild (see below).
This is how far I have looked into it: RHEL/CentOS 5 has an even older
version of pango. Of course, there is a patch for that vulnerability in
the src-rpm of RHEL 5. If you use --ignore-whitespace for patch, the
RHEL 5 patch applies to the pango version in Fedora 10. Except for
whitespace changes, the code in question has not changed much between
the RHEL 5 and the Fedora 10 version. Probably, the patch fixes the
vulnerability for us, too.
The easiest way would probably be:
- Take the src-rpm of the pango version in RHEL 5.
- Extract the patch from it: pango-glyphstring.patch-1.14.9-5.el5_3
- Extract the src-rpm of pango-1.22.3 from Fedora 10.
- Apply the RHEL 5 patch with --ignore-whitespace.
- Diff for creating a patch that applies without --ignore-whitespace.
- Bump version number and repackge a src-rpm for Fedora 10 with the new
- Build it on a clean Fedora 10 system.
There is one more problem to solve:
That mail go unanswered (at least as far as the mailing list archive
goes). Probably, the procedure above would have to be put into a shell
script for a willing commiter to repeat. Every time this vulnerability
comes up at ports@ or emulation@, some commitor ask for a (trusted) rpm
to fix it. Thus, there might be one.
For me, the real question is: Considering the age of Fedora 10 and the
time it has not been supported anymore, it is likely that there are more
vulnerabilities in our Linux-f10 framework that are not documented in
our vulnerability database. Does fixing the pango vulnerability really
make the Linux emulation save? (Is it worse the it?)
More information about the freebsd-ports