It was discovered that pango did not check for memory reallocation failures in hb_buffer_ensure() function. This could trigger a NULL pointer dereference in hb_buffer_add_glyph(), where possibly untrusted input is used as an index used for accessing members of the incorrectly reallocated array, resulting in the use of NULL address as the base array address. This can result in application crash or, possibly, code execution. It was demonstrated that it's possible to trigger this flaw in Firefox via a specially crafted web page. Mozilla bug report (currently not public): https://bugzilla.mozilla.org/show_bug.cgi?id=606997 Fix in the harfbuzz git: http://cgit.freedesktop.org/harfbuzz/commit/?id=a6a79df5fe2e
https://bugzilla.redhat.com/show_bug.cgi?id=678563 has links to some patches.
*** Bug 357781 has been marked as a duplicate of this bug. ***
+*pango-1.28.3-r1 (12 Mar 2011) + + 12 Mar 2011; Pacho Ramos <pacho@gentoo.org> -files/pango-1.2.5-lib64.patch, + -pango-1.24.5-r1.ebuild, -files/pango-1.26.0-introspection-automagic.patch, + -pango-1.26.2.ebuild, +pango-1.28.3-r1.ebuild, + +files/pango-1.28.3-heap-corruption.patch, + +files/pango-1.28.3-malloc-failure.patch: + Fix security issues: CVE-2011-0020 and CVE-2011-0064. Remove old. +
CVE-2011-0064 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0064): The hb_buffer_ensure function in hb-buffer.c in HarfBuzz, as used in Pango 1.28.3, Firefox, and other products, does not verify that memory reallocations succeed, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via crafted OpenType font data that triggers use of an incorrect index.
This issue was resolved and addressed in GLSA 201405-13 at http://security.gentoo.org/glsa/glsa-201405-13.xml by GLSA coordinator Sean Amoss (ackle).
