Bug#933860: pango1.0: CVE-2019-1010238
Salvatore Bonaccorso
carnil at debian.org
Sun Aug 4 18:21:29 BST 2019
Hi Simon,
[Addint team at s.d.o to CC]
On Sun, Aug 04, 2019 at 05:48:38PM +0100, Simon McVittie wrote:
> On Sun, 04 Aug 2019 at 17:27:34 +0100, Simon McVittie wrote:
> > On Sun, 04 Aug 2019 at 15:53:28 +0200, Salvatore Bonaccorso wrote:
> > > Please adjust the affected versions in the BTS as needed.
> >
> > I'll check the upstream reproducer against stretch (and jessie for the
> > LTS people's benefit) soon.
>
> The reproducer provided on the embargoed upstream bug would seem to
> indicate that stretch and jessie are not affected.
>
> Ubuntu 18.04 'xenial' is also shipping pango1.0 1.40.x (although a
> later release than the one in stretch), and Ubuntu have not patched that
> version for this CVE.
Okay. Is there some indication which upstream code change introduced
hte issue so we can try to narrow this down?
Re the no-dsa/dsa question, the added severity does not necessarly
imply that, actually to be on safe side I should have choosen grave
(which then can be lowered if not appropriate). The problem was simply
I cannot determine good enough the impact and exploiting/attack
scenarios.
Does the upstream bug give more details which can help on that?
That a reproducer might not trigger and the loop part is missing might
still not guarantee us that the issue is not present. As said I have
not enough insight here. But the question was as well raised by
Leonidas S. Barbosa from Ubuntu (but guess without recieving a reply)
in https://gitlab.gnome.org/GNOME/pango/commit/490f8979a260c16b1df055eab386345da18a2d54#note_563576
Thanks for having done already the fix for unstable!
Regards,
Salvatore
More information about the pkg-gnome-maintainers
mailing list