It was discovered that pango did not check for memory reallocation failures in
hb_buffer_ensure() function. This could trigger a NULL pointer dereference in
hb_buffer_add_glyph(), where possibly untrusted input is used as an index used
for accessing members of the incorrectly reallocated array, resulting in the
use of NULL address as the base array address. This can result in application
crash or, possibly, code execution.
It was demonstrated that it's possible to trigger this flaw in Firefox via a
specially crafted web page.
Mozilla bug report (currently not public):
Fix in the harfbuzz git:
https://bugzilla.redhat.com/show_bug.cgi?id=678563 has links to some patches.
*** Bug 357781 has been marked as a duplicate of this bug. ***
+*pango-1.28.3-r1 (12 Mar 2011)
+ 12 Mar 2011; Pacho Ramos <email@example.com> -files/pango-1.2.5-lib64.patch,
+ -pango-1.24.5-r1.ebuild, -files/pango-1.26.0-introspection-automagic.patch,
+ -pango-1.26.2.ebuild, +pango-1.28.3-r1.ebuild,
+ Fix security issues: CVE-2011-0020 and CVE-2011-0064. Remove old.
The hb_buffer_ensure function in hb-buffer.c in HarfBuzz, as used in Pango
1.28.3, Firefox, and other products, does not verify that memory
reallocations succeed, which allows remote attackers to cause a denial of
service (NULL pointer dereference and application crash) or possibly execute
arbitrary code via crafted OpenType font data that triggers use of an
This issue was resolved and addressed in
GLSA 201405-13 at http://security.gentoo.org/glsa/glsa-201405-13.xml
by GLSA coordinator Sean Amoss (ackle).