Hi Simon, [Addint team@s.d.o to CC]
On Sun, Aug 04, 2019 at 05:48:38PM +0100, Simon McVittie wrote: > On Sun, 04 Aug 2019 at 17:27:34 +0100, Simon McVittie wrote: > > On Sun, 04 Aug 2019 at 15:53:28 +0200, Salvatore Bonaccorso wrote: > > > Please adjust the affected versions in the BTS as needed. > > > > I'll check the upstream reproducer against stretch (and jessie for the > > LTS people's benefit) soon. > > The reproducer provided on the embargoed upstream bug would seem to > indicate that stretch and jessie are not affected. > > Ubuntu 18.04 'xenial' is also shipping pango1.0 1.40.x (although a > later release than the one in stretch), and Ubuntu have not patched that > version for this CVE. Okay. Is there some indication which upstream code change introduced hte issue so we can try to narrow this down? Re the no-dsa/dsa question, the added severity does not necessarly imply that, actually to be on safe side I should have choosen grave (which then can be lowered if not appropriate). The problem was simply I cannot determine good enough the impact and exploiting/attack scenarios. Does the upstream bug give more details which can help on that? That a reproducer might not trigger and the loop part is missing might still not guarantee us that the issue is not present. As said I have not enough insight here. But the question was as well raised by Leonidas S. Barbosa from Ubuntu (but guess without recieving a reply) in https://gitlab.gnome.org/GNOME/pango/commit/490f8979a260c16b1df055eab386345da18a2d54#note_563576 Thanks for having done already the fix for unstable! Regards, Salvatore
