fixing the vulnerability in linux-f10-pango-1.22.3_1

Tom Uffner tom at
Mon Feb 14 16:46:38 UTC 2011

Jan Henrik Sylvester wrote:

> The easiest way would probably be:
> - Take the src-rpm of the pango version in RHEL 5.
> - Extract the patch from it: pango-glyphstring.patch-1.14.9-5.el5_3
> - Extract the src-rpm of pango-1.22.3 from Fedora 10.
> - Apply the RHEL 5 patch with --ignore-whitespace.
> - Diff for creating a patch that applies without --ignore-whitespace.
> - Bump version number and repackge a src-rpm for Fedora 10 with the new
> patch.
> - Build it on a clean Fedora 10 system.
> There is one more problem to solve:
> That mail go unanswered (at least as far as the mailing list archive
> goes). Probably, the procedure above would have to be put into a shell
> script for a willing commiter to repeat. Every time this vulnerability
> comes up at ports@ or emulation@, some commitor ask for a (trusted) rpm
> to fix it. Thus, there might be one.

Peter Littmann's RPMs probably won't work for me since i'm looking for
9-current amd64.

would a src-rpm verifiably generated from the Fedora 10 src-rpm (or
the pango project tarball) and the RHEL 5 patch solve this? I may not
have a "Reputation", but I've been around since 4.1BSD and a search
of the tree and the PRs will turn up a few bugfixes that I've submitted.


More information about the freebsd-ports mailing list