From 1574dd6d48e4b1deef1dc05764eb51687e699822 Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Fri, 18 Jan 2019 10:22:12 +0100 Subject: [PATCH] package/pango: add upstream security fix for CVE-2018-15120 libpango in Pango 1.40.8 through 1.42.3, as used in hexchat and other products, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted text with invalid Unicode sequences. https://nvd.nist.gov/vuln/detail/CVE-2018-15120 Signed-off-by: Peter Korsgaard --- ...rtion-with-invalid-Unicode-sequences.patch | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 package/pango/0002-Prevent-an-assertion-with-invalid-Unicode-sequences.patch diff --git a/package/pango/0002-Prevent-an-assertion-with-invalid-Unicode-sequences.patch b/package/pango/0002-Prevent-an-assertion-with-invalid-Unicode-sequences.patch new file mode 100644 index 0000000000..010981e8b4 --- /dev/null +++ b/package/pango/0002-Prevent-an-assertion-with-invalid-Unicode-sequences.patch @@ -0,0 +1,38 @@ +From 71aaeaf020340412b8d012fe23a556c0420eda5f Mon Sep 17 00:00:00 2001 +From: Matthias Clasen +Date: Fri, 17 Aug 2018 22:29:36 -0400 +Subject: [PATCH] Prevent an assertion with invalid Unicode sequences + +Invalid Unicode sequences, such as 0x2665 0xfe0e 0xfe0f, +can trick the Emoji iter code into returning an empty +segment, which then triggers an assertion in the itemizer. + +Prevent this by ensuring that we make progress. + +This issue was reported by Jeffrey M. + +Signed-off-by: Peter Korsgaard +--- + pango/pango-emoji.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/pango/pango-emoji.c b/pango/pango-emoji.c +index 0e332dff..29472452 100644 +--- a/pango/pango-emoji.c ++++ b/pango/pango-emoji.c +@@ -253,6 +253,12 @@ _pango_emoji_iter_next (PangoEmojiIter *iter) + if (iter->is_emoji == PANGO_EMOJI_TYPE_IS_EMOJI (current_emoji_type)) + { + iter->is_emoji = !PANGO_EMOJI_TYPE_IS_EMOJI (current_emoji_type); ++ ++ /* Make sure we make progress. Weird sequences, like a VC15 followed ++ * by VC16, can trick us into stalling otherwise. */ ++ if (iter->start == iter->end) ++ iter->end = g_utf8_next_char (iter->end); ++ + return TRUE; + } + } +-- +2.11.0 + -- 2.30.2