# Will linux-f10-pango ever be fixed?



## nu2fbsd (Sep 13, 2010)

*port update of...*

How to update linux-f10-pango since it has a vulnerability? 
I did `# portupgrade linux-f10-pango` but that did not do anything.


----------



## DutchDaemon (Sep 13, 2010)

There is no newer port for it, and there likely never will be. Either live with the vulnerable port, or stop using it..


----------



## derekschrock (Sep 13, 2010)

nu2fbsd said:
			
		

> How to update linux-f10-pango since it has a vulnerability?
> I did `# portupgrade linux-f10-pango` but that did not do anything.



Did you run portsnap first? 

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/updating-upgrading-portsnap.html


----------



## drp (Sep 14, 2010)

I've noticed now that print/acroread9 also can't be installed using portaudit because of the linux-f10-pango integer overflow vulnerability. Does anyone know if something is ever going to be done about this problem?


----------



## nu2fbsd (Sep 14, 2010)

Yes I did and it is not on the list of updates but when I do 
`# portaudit -dFa`
then I get output about the vulnerability. As Dutch wrote there is no fix for this particular port, I will have to live with it or think about something else.


----------



## alelab (Sep 14, 2010)

Hi,

Run `export/setenv DISABLE_VULNERABILITIES=yes` (depending on your shell) to bypass the vulnerabilities check.


----------



## DutchDaemon (Sep 14, 2010)

That's probably the way it is, though there were several linux-fc10 ports updated today (base, nss, and others). I don't think the specific pango vulnerability will be addressed separately though. I have not seen any attack vectors in the wild for it either, or they are too involved and labor-intensive to be really dangerous.


----------



## DutchDaemon (Sep 14, 2010)

drp, try a forum search next time. Threads merged.


----------



## nu2fbsd (Sep 14, 2010)

Now that linux_base-f10 port is updated should I do `# portupgrade linux_base-f10`?


----------



## drp (Sep 14, 2010)

DutchDaemon said:
			
		

> drp, try a forum search next time. Threads merged.



I already did a forum search, but I wanted to separate my question because I was wondering if anyone knows for an absolute fact that anything is or isn't planned for it.
It seems like a serious vulnerability to me, in a way. But I read that remotely, it can only cause a denial of service. I'm not sure that's correct, but that's the way the description of the problem looked, and so I thought it might not be a serious issue for me. But I would think any overflow is something that's best not to take chances with. I'm confused that so many people seem to be concerned, and it's been so long, and nothing has been done. It's lead me to believe that it's not as serious as it seems, but then after posting here and getting a suggestion to go ahead and disable vulnerabilities for it because nothing is planned on being done about it, I haven't been able to decide whether it's very difficult to fix or just isn't a big deal. Like I said, I read a description that said remotely it can cause a denial of service, but it didn't say anything about arbitrary code execution. I just have no idea what the exact problem is and if anyone knows for a fact if anything should be done or is being done, and I haven't been able to find a good answer through a forum search or Google search.


----------



## DutchDaemon (Sep 14, 2010)

No one here knows if it will be fixed; it's not a FreeBSD issue. Ask the Fedora people if you're really concerned.


----------



## Dereckson (Sep 14, 2010)

That's the problem: to fix the problem on the FreeBSD ports tree, we need a fc10 pango RPM, but you'll only see those packages for newer Fedora Core versions.

The best way would be to install Fedora Core 10 and create such a pango package. You can always try to get in touch with the maintainer of the pango RPM and ask him instructions/assistance/help on this issue.


----------



## PeterLittmann (Sep 25, 2010)

*linux-f10-pango replacement, please test and give feedback*

Hello,

I just installed Fedora 10 and made a rpm from the Fedora 13 source.rpm.
Hope, this will work on your systems so that the security warning from portaudit will not longer annoy us.

You can find it on:
http://home.versanet.de/~pl-994414/FreeBSD-ports

Please test and inform me if this works for you or what could be made better.

Do you wish further linux-f10 ports?
Are there some hints/guidelines to follow, you can suggest to read?


Have a nice day

Peter


----------



## PeterLittmann (Sep 25, 2010)

Just two tags added.


----------

