From 4064fc42f6a7dc59a94aa6ac4ed18ce4501452fa82f73142063cf76d97ef4357 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B8rn=20Lie?= Date: Mon, 20 Aug 2018 18:30:03 +0000 Subject: [PATCH] Accepting request 630646 from home:sreeves1:branches:GNOME:Factory - Add pango-emoji-bsc1103877.patch: Fix denial of service when parsing emoji (bsc#1103877, CVE-2018-15120) OBS-URL: https://build.opensuse.org/request/show/630646 OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/pango?expand=0&rev=194 --- pango-emoji-bsc1103877.patch | 17 +++++++++++++++++ pango.changes | 6 ++++++ pango.spec | 3 +++ 3 files changed, 26 insertions(+) create mode 100644 pango-emoji-bsc1103877.patch diff --git a/pango-emoji-bsc1103877.patch b/pango-emoji-bsc1103877.patch new file mode 100644 index 0000000..2cb95e7 --- /dev/null +++ b/pango-emoji-bsc1103877.patch @@ -0,0 +1,17 @@ +Index: pango-1.42.3/pango/pango-emoji.c +=================================================================== +--- pango-1.42.3.orig/pango/pango-emoji.c ++++ pango-1.42.3/pango/pango-emoji.c +@@ -253,6 +253,12 @@ _pango_emoji_iter_next (PangoEmojiIter * + if (iter->is_emoji == PANGO_EMOJI_TYPE_IS_EMOJI (current_emoji_type)) + { + iter->is_emoji = !PANGO_EMOJI_TYPE_IS_EMOJI (current_emoji_type); ++ ++ /* Make sure we make progress. Weird sequences, like a VC15 followed ++ * by VC16, can trick us into stalling otherwise. */ ++ if (iter->start == iter->end) ++ iter->end = g_utf8_next_char (iter->end); ++ + return TRUE; + } + } diff --git a/pango.changes b/pango.changes index 6a666bb..8e1ee5c 100644 --- a/pango.changes +++ b/pango.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Sat Aug 18 00:01:23 UTC 2018 - sreeves@suse.com + +- Add pango-emoji-bsc1103877.patch: Fix denial of service + when parsing emoji (bsc#1103877, CVE-2018-15120) + ------------------------------------------------------------------- Mon Jul 30 19:40:05 UTC 2018 - bjorn.lie@gmail.com diff --git a/pango.spec b/pango.spec index 1686ed5..32af1df 100644 --- a/pango.spec +++ b/pango.spec @@ -26,6 +26,8 @@ URL: http://www.pango.org/ Source0: https://download.gnome.org/sources/pango/1.42/%{name}-%{version}.tar.xz Source2: macros.pango Source99: baselibs.conf +#PATCH-FIX-UPSTREAM pango-emoji-bsc1103877.patch sreeves@suse.com -- Fix CVE-2018-15120 denial of service parsing emoji +Patch0: pango-emoji-bsc1103877.patch BuildRequires: gcc-c++ BuildRequires: gtk-doc @@ -119,6 +121,7 @@ to develop applications that require these. %prep %setup -q +%patch0 -p1 %build %meson \