Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 357067 (CVE-2011-0064)

Summary: <x11-libs/pango-1.28.3-r1: missing memory reallocation failure checking in hb_buffer_ensure (CVE-2011-0064)
Product: Gentoo Security Reporter: Paweł Hajdan, Jr. (RETIRED) <phajdan.jr>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: fierevere, gnome
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=678563
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 352087    
Bug Blocks:    

Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-02 07:55:28 UTC 
It was discovered that pango did not check for memory reallocation failures in
hb_buffer_ensure() function.  This could trigger a NULL pointer dereference in
hb_buffer_add_glyph(), where possibly untrusted input is used as an index used
for accessing members of the incorrectly reallocated array, resulting in the
use of NULL address as the base array address.  This can result in application
crash or, possibly, code execution.

It was demonstrated that it's possible to trigger this flaw in Firefox via a
specially crafted web page.

Mozilla bug report (currently not public):
https://bugzilla.mozilla.org/show_bug.cgi?id=606997

Fix in the harfbuzz git:
http://cgit.freedesktop.org/harfbuzz/commit/?id=a6a79df5fe2e
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-02 07:57:13 UTC 
https://bugzilla.redhat.com/show_bug.cgi?id=678563 has links to some patches.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-03-12 17:17:18 UTC 
*** Bug 357781 has been marked as a duplicate of this bug. ***
Comment 3 Pacho Ramos gentoo-dev 2011-03-12 18:18:21 UTC 
+*pango-1.28.3-r1 (12 Mar 2011)
+
+  12 Mar 2011; Pacho Ramos <pacho@gentoo.org> -files/pango-1.2.5-lib64.patch,
+  -pango-1.24.5-r1.ebuild, -files/pango-1.26.0-introspection-automagic.patch,
+  -pango-1.26.2.ebuild, +pango-1.28.3-r1.ebuild,
+  +files/pango-1.28.3-heap-corruption.patch,
+  +files/pango-1.28.3-malloc-failure.patch:
+  Fix security issues: CVE-2011-0020 and CVE-2011-0064. Remove old.
+
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:33:36 UTC 
CVE-2011-0064 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0064):
  The hb_buffer_ensure function in hb-buffer.c in HarfBuzz, as used in Pango
  1.28.3, Firefox, and other products, does not verify that memory
  reallocations succeed, which allows remote attackers to cause a denial of
  service (NULL pointer dereference and application crash) or possibly execute
  arbitrary code via crafted OpenType font data that triggers use of an
  incorrect index.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2014-05-17 19:31:48 UTC 
This issue was resolved and addressed in
 GLSA 201405-13 at http://security.gentoo.org/glsa/glsa-201405-13.xml
by GLSA coordinator Sean Amoss (ackle).