Bug#933860: pango1.0: CVE-2019-1010238
Simon McVittie
smcv at debian.org
Sun Aug 4 17:27:34 BST 2019
Control: tags -1 + pending
On Sun, 04 Aug 2019 at 15:53:28 +0200, Salvatore Bonaccorso wrote:
> CVE-2019-1010238[0]:
> | Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact
> | is: The heap based buffer overflow can be used to get code execution.
> | The component is: function name: pango_log2vis_get_embedding_levels,
> | assignment of nchars and the loop condition. The attack vector is: Bug
> | can be used when application pass invalid utf-8 strings to functions
> | like pango_itemize.
The upstream bug is currently still marked as confidential, but is
accessible by GNOME members and contains a reproducer. Ubuntu appear to
have released the upstream patch as a fix, so hopefully that's valid; a
test-build of something functionally equivalent for sid is compiling now.
Do I assume correctly from the 'important' severity that the security team
do not intend to release a DSA for this?
For buster (either via a DSA or a point release), the solution will
presumably be a 1.42.4-7~deb10u1 or 1.42.4-6+deb10u1 that is equivalent to
what I'm now testing, but with the changelog and debian/gbp.conf adjusted
appropriately for buster.
> Please adjust the affected versions in the BTS as needed.
I'll check the upstream reproducer against stretch (and jessie for the
LTS people's benefit) soon.
smcv
More information about the pkg-gnome-maintainers
mailing list