From the upstream bug at URL:
As reported by Dan Rosenberg to Ubuntu in:
When used with FreeType2 as a backend, Pango is vulnerable to heap corruption
when rendering malformed fonts. The vulnerability occurs in
pango_ft2_font_render_box_glyph() in pango/pangoft2-render.c. A buffer is
malloc'd with size box->bitmap.rows * box->bitmap.pitch. Subsequently, 0xff is
written at offsets into this buffer without checking that these offsets fall
within the buffer's boundaries, leading to heap corruption.
I tested this against Lucid (Pango 1.28.0) and upstream (Pango 1.28.3).
I've attached a fuzzed version of the FreeSerif TrueType font ("crash.ttf")
that can be used to reproduce this corruption as follows, using the
test-mixed.txt file included in the pango-view directory of the source tree
# cp /usr/share/fonts/truetype/freefont/FreeSerif.ttf
# cp crash.ttf /usr/share/fonts/truetype/freefont/FreeSerif.ttf
# pango-view --backend=ft2 --font=FreeSerif test-mixed.txt
*** glibc detected *** pango-view: malloc(): memory corruption:
======= Backtrace: =========
Per http://www.openwall.com/lists/oss-security/2011/01/20/2 this has been assigned CVE-2011-0020.
+*pango-1.28.3-r1 (12 Mar 2011)
+ 12 Mar 2011; Pacho Ramos <firstname.lastname@example.org> -files/pango-1.2.5-lib64.patch,
+ -pango-1.24.5-r1.ebuild, -files/pango-1.26.0-introspection-automagic.patch,
+ -pango-1.26.2.ebuild, +pango-1.28.3-r1.ebuild,
+ Fix security issues: CVE-2011-0020 and CVE-2011-0064. Remove old.
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Tested on SPARc, passed its tests. Could stabilise.
Stable on alpha.
amd64 done. Thanks Agostino
Stable for HPPA.
Thanks folks. Added existing GLSA request.
Heap-based buffer overflow in the pango_ft2_font_render_box_glyph function
in pango/pangoft2-render.c in libpango in Pango 1.28.3 and earlier, when the
FreeType2 backend is enabled, allows user-assisted remote attackers to cause
a denial of service (application crash) or possibly execute arbitrary code
via a crafted font file, related to the glyph box for an FT_Bitmap object.
This issue was resolved and addressed in
GLSA 201405-13 at http://security.gentoo.org/glsa/glsa-201405-13.xml
by GLSA coordinator Sean Amoss (ackle).