Control: tags -1 + pending
On Sun, 04 Aug 2019 at 15:53:28 +0200, Salvatore Bonaccorso wrote:
> CVE-2019-1010238[0]:
> | Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact
> | is: The heap based buffer overflow can be used to get code execution.
> | The component is: function name: pango_log2vis_get_embedding_levels,
> | assignment of nchars and the loop condition. The attack vector is: Bug
> | can be used when application pass invalid utf-8 strings to functions
> | like pango_itemize.
The upstream bug is currently still marked as confidential, but is
accessible by GNOME members and contains a reproducer. Ubuntu appear to
have released the upstream patch as a fix, so hopefully that's valid; a
test-build of something functionally equivalent for sid is compiling now.
Do I assume correctly from the 'important' severity that the security team
do not intend to release a DSA for this?
For buster (either via a DSA or a point release), the solution will
presumably be a 1.42.4-7~deb10u1 or 1.42.4-6+deb10u1 that is equivalent to
what I'm now testing, but with the changelog and debian/gbp.conf adjusted
appropriately for buster.
> Please adjust the affected versions in the BTS as needed.
I'll check the upstream reproducer against stretch (and jessie for the
LTS people's benefit) soon.
smcv