Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 268976 (CVE-2009-1194) - <x11-libs/pango-1.24.2 Integer overflow (CVE-2009-{1194,2468})
Summary: <x11-libs/pango-1.24.2 Integer overflow (CVE-2009-{1194,2468})
Status: RESOLVED FIXED
Alias: CVE-2009-1194
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal
Assignee: Gentoo Security
URL: http://www.ocert.org/advisories/ocert...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-05-07 20:49 UTC by Alex Legler (RETIRED)
Modified: 2014-05-17 19:31 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-07 20:49:12 UTC 
Will Drewry of oCERT reported the following vulnerability:

#2009-001 Pango integer overflow in heap allocation size calculations

Description:

Pango is a library for laying out and rendering text, with an emphasis
on internationalization.  Pango suffers from a multiplicative integer
overflow which may lead to a potentially exploitable, heap overflow
depending on the calling conditions.  For example, this vulnerability is
remotely reachable in Firefox by creating an overly large
document.location value but only results in a process-terminating,
allocation error (denial of service).

The affected function is pango_glyph_string_set_size. An overflow check
when doubling the size neglects the overflow possible on the subsequent
allocation:

  string->glyphs = g_realloc (string->glyphs, string->space *
                              sizeof (PangoGlyphInfo));
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-07 20:49:44 UTC 
Gnome, can we go stable with 1.24.1?
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-15 09:18:15 UTC 
CVE-2009-1194 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1194):
  Integer overflow in the pango_glyph_string_set_size function in
  pango/glyphstring.c in Pango before 1.24 allows context-dependent
  attackers to cause a denial of service (application crash) or
  possibly execute arbitrary code via a long glyph string that triggers
  a heap-based buffer overflow, as demonstrated by a long
  document.location value in Firefox.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-05-18 15:32:05 UTC 
gnome, can we go stable with pango 1.24.1 or do you plan to backport the patch?
http://github.com/bratsche/pango/commit/4de30e5500eaeb49f4bf0b7a07f718e149a2ed5e
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-05-25 19:13:45 UTC 
[21:13] <Ford_Prefect> rbu, go for it. GNOME herd, please do not kill me.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-05-25 19:13:50 UTC 
Arches, please test and mark stable:
=x11-libs/pango-1.24.2
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 6 Markus Meier gentoo-dev 2009-05-25 20:38:50 UTC 
amd64/x86 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2009-05-25 22:55:16 UTC 
Stable for HPPA.
Comment 8 Brent Baude (RETIRED) gentoo-dev 2009-05-27 15:46:25 UTC 
ppc64 done
Comment 9 Brent Baude (RETIRED) gentoo-dev 2009-05-27 15:46:32 UTC 
ppc done
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2009-05-27 17:17:09 UTC 
alpha/arm/ia64/s390/sh/sparc stable
Comment 11 Tobias Heinlein (RETIRED) gentoo-dev 2009-06-01 22:28:40 UTC 
All arches done, GLSA request filed.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2009-08-08 21:59:55 UTC 
CVE-2009-2468 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2468):
  Integer overflow in CoreGraphics in Apple Mac OS X, as used in
  Mozilla Firefox before 3.0.12, allows remote attackers to cause a
  denial of service (application crash) or possibly execute arbitrary
  code via a long text run that triggers a heap-based buffer overflow
  during font glyph rendering, a related issue to CVE-2009-1194.
Comment 13 Jaak Ristioja 2010-07-23 09:06:41 UTC 
There is no <x11-libs/pango-1.24.5-r1 in portage any more.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2014-05-17 19:31:41 UTC 
This issue was resolved and addressed in
 GLSA 201405-13 at http://security.gentoo.org/glsa/glsa-201405-13.xml
by GLSA coordinator Sean Amoss (ackle).