fixing the vulnerability in linux-f10-pango-1.22.3_1
Tom Uffner
tom at uffner.com
Mon Feb 14 16:46:38 UTC 2011
Jan Henrik Sylvester wrote:
> The easiest way would probably be:
>
> - Take the src-rpm of the pango version in RHEL 5.
> - Extract the patch from it: pango-glyphstring.patch-1.14.9-5.el5_3
> - Extract the src-rpm of pango-1.22.3 from Fedora 10.
> - Apply the RHEL 5 patch with --ignore-whitespace.
> - Diff for creating a patch that applies without --ignore-whitespace.
> - Bump version number and repackge a src-rpm for Fedora 10 with the new
> patch.
> - Build it on a clean Fedora 10 system.
>
> There is one more problem to solve:
> http://lists.freebsd.org/pipermail/freebsd-emulation/2010-December/008264.html
>
> That mail go unanswered (at least as far as the mailing list archive
> goes). Probably, the procedure above would have to be put into a shell
> script for a willing commiter to repeat. Every time this vulnerability
> comes up at ports@ or emulation@, some commitor ask for a (trusted) rpm
> to fix it. Thus, there might be one.
Peter Littmann's RPMs probably won't work for me since i'm looking for
9-current amd64.
would a src-rpm verifiably generated from the Fedora 10 src-rpm (or
the pango project tarball) and the RHEL 5 patch solve this? I may not
have a "Reputation", but I've been around since 4.1BSD and a search
of the tree and the PRs will turn up a few bugfixes that I've submitted.
tom
More information about the freebsd-ports
mailing list