Will Drewry of oCERT reported the following vulnerability:
#2009-001 Pango integer overflow in heap allocation size calculations
Pango is a library for laying out and rendering text, with an emphasis
on internationalization. Pango suffers from a multiplicative integer
overflow which may lead to a potentially exploitable, heap overflow
depending on the calling conditions. For example, this vulnerability is
remotely reachable in Firefox by creating an overly large
document.location value but only results in a process-terminating,
allocation error (denial of service).
The affected function is pango_glyph_string_set_size. An overflow check
when doubling the size neglects the overflow possible on the subsequent
string->glyphs = g_realloc (string->glyphs, string->space *
Gnome, can we go stable with 1.24.1?
Integer overflow in the pango_glyph_string_set_size function in
pango/glyphstring.c in Pango before 1.24 allows context-dependent
attackers to cause a denial of service (application crash) or
possibly execute arbitrary code via a long glyph string that triggers
a heap-based buffer overflow, as demonstrated by a long
document.location value in Firefox.
gnome, can we go stable with pango 1.24.1 or do you plan to backport the patch?
[21:13] <Ford_Prefect> rbu, go for it. GNOME herd, please do not kill me.
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
All arches done, GLSA request filed.
Integer overflow in CoreGraphics in Apple Mac OS X, as used in
Mozilla Firefox before 3.0.12, allows remote attackers to cause a
denial of service (application crash) or possibly execute arbitrary
code via a long text run that triggers a heap-based buffer overflow
during font glyph rendering, a related issue to CVE-2009-1194.
There is no <x11-libs/pango-1.24.5-r1 in portage any more.
This issue was resolved and addressed in
GLSA 201405-13 at http://security.gentoo.org/glsa/glsa-201405-13.xml
by GLSA coordinator Sean Amoss (ackle).