fixing the vulnerability in linux-f10-pango-1.22.3_1
Luchesar V. ILIEV
luchesar.iliev at gmail.com
Mon Feb 14 17:47:39 UTC 2011
On Mon, Feb 14, 2011 at 18:45, Tom Uffner <tom at uffner.com> wrote:
> Jan Henrik Sylvester wrote:
>> The easiest way would probably be:
>> - Take the src-rpm of the pango version in RHEL 5.
>> - Extract the patch from it: pango-glyphstring.patch-1.14.9-5.el5_3
>> - Extract the src-rpm of pango-1.22.3 from Fedora 10.
>> - Apply the RHEL 5 patch with --ignore-whitespace.
>> - Diff for creating a patch that applies without --ignore-whitespace.
>> - Bump version number and repackge a src-rpm for Fedora 10 with the new
>> - Build it on a clean Fedora 10 system.
>> There is one more problem to solve:
>> That mail go unanswered (at least as far as the mailing list archive
>> goes). Probably, the procedure above would have to be put into a shell
>> script for a willing commiter to repeat. Every time this vulnerability
>> comes up at ports@ or emulation@, some commitor ask for a (trusted) rpm
>> to fix it. Thus, there might be one.
> Peter Littmann's RPMs probably won't work for me since i'm looking for
> 9-current amd64.
> would a src-rpm verifiably generated from the Fedora 10 src-rpm (or
> the pango project tarball) and the RHEL 5 patch solve this? I may not
> have a "Reputation", but I've been around since 4.1BSD and a search
> of the tree and the PRs will turn up a few bugfixes that I've submitted.
Most likely you've already noticed my efforts in this matter, but let
me still mention them:
Sadly, I'm still struggling to find enough time to prepare for and
apply for ports committer (I'm afraid that while I might be known
around the academic security community and projects like the European
GÉANT, that's not the case with FreeBSD), but that's irrelevant now,
anyway. Of course, anyone who feels not particularly security
concerned could still use the patches for the ports tree provided in
the first mail (I do keep the relevant distfiles online).
The step-by-step description in the second set of mails could
hopefully be helpful for someone whom the community would trust to
build an RPM. I do realize it's way too detailed and long, so I was
indeed thinking about preparing a shorter version these days --
especially now that the Flash update brings the issue with linux-pango
again. Please let me know if I could be of help somehow.
More information about the freebsd-ports