Will linux-f10-pango ever be fixed?

nu2fbsd

nu2fbsd

port update of...

How to update linux-f10-pango since it has a vulnerability?
I did # portupgrade linux-f10-pango but that did not do anything.
 
There is no newer port for it, and there likely never will be. Either live with the vulnerable port, or stop using it..
 
I've noticed now that print/acroread9 also can't be installed using portaudit because of the linux-f10-pango integer overflow vulnerability. Does anyone know if something is ever going to be done about this problem?
 
Yes I did and it is not on the list of updates but when I do
# portaudit -dFa
then I get output about the vulnerability. As Dutch wrote there is no fix for this particular port, I will have to live with it or think about something else.
 
That's probably the way it is, though there were several linux-fc10 ports updated today (base, nss, and others). I don't think the specific pango vulnerability will be addressed separately though. I have not seen any attack vectors in the wild for it either, or they are too involved and labor-intensive to be really dangerous.
 
DutchDaemon said:
drp, try a forum search next time. Threads merged.
Click to expand...

I already did a forum search, but I wanted to separate my question because I was wondering if anyone knows for an absolute fact that anything is or isn't planned for it.
It seems like a serious vulnerability to me, in a way. But I read that remotely, it can only cause a denial of service. I'm not sure that's correct, but that's the way the description of the problem looked, and so I thought it might not be a serious issue for me. But I would think any overflow is something that's best not to take chances with. I'm confused that so many people seem to be concerned, and it's been so long, and nothing has been done. It's lead me to believe that it's not as serious as it seems, but then after posting here and getting a suggestion to go ahead and disable vulnerabilities for it because nothing is planned on being done about it, I haven't been able to decide whether it's very difficult to fix or just isn't a big deal. Like I said, I read a description that said remotely it can cause a denial of service, but it didn't say anything about arbitrary code execution. I just have no idea what the exact problem is and if anyone knows for a fact if anything should be done or is being done, and I haven't been able to find a good answer through a forum search or Google search.
 
No one here knows if it will be fixed; it's not a FreeBSD issue. Ask the Fedora people if you're really concerned.
 
That's the problem: to fix the problem on the FreeBSD ports tree, we need a fc10 pango RPM, but you'll only see those packages for newer Fedora Core versions.

The best way would be to install Fedora Core 10 and create such a pango package. You can always try to get in touch with the maintainer of the pango RPM and ask him instructions/assistance/help on this issue.
 
linux-f10-pango replacement, please test and give feedback

Hello,

I just installed Fedora 10 and made a rpm from the Fedora 13 source.rpm.
Hope, this will work on your systems so that the security warning from portaudit will not longer annoy us.

You can find it on:
http://home.versanet.de/~pl-994414/FreeBSD-ports

Please test and inform me if this works for you or what could be made better.

Do you wish further linux-f10 ports?
Are there some hints/guidelines to follow, you can suggest to read?


Have a nice day

Peter
 
You must log in or register to reply here.
Back
Top