Ubuntu
pango1.0 package

  1. Bug #509919
  2. Comment #4

Comment 4 for bug 509919

Revision history for this message
Theppitak Karoonboonyanan (thep) wrote : Re: Hundreds of packages depend on libthai and libthai-data

- The vulnerability has been fixed in 0.1.12-1ubuntu0.2 [1] So, you might have already updated it before reporting this bug.

    [1] https://launchpad.net/ubuntu/+source/libthai/0.1.12-1ubuntu0.2

- The vulnerability was later proved to be ineffective in libthai [2]. Instead, it's pango/glib that's vulnerable. So, if you want to get rid of all packages with security flaw, just remove pango instead. :P

    [2] https://bugzilla.redhat.com/show_bug.cgi?id=554416

- Regarding the dependency, nothing can be done in libthai to change this. It's pango that pulls it in, according to upstream decision. Before the merge, it used to be shipped as a separate third-party plug-in. Well, if you ask for the re-split, one can ask for other language engines to be split, too. So, this should be reassigned to pango, for its maintainers to decide.