Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 313331 (CVE-2010-0421) - <x11-libs/pango-1.27.1: hb_ot_layout_build_glyph_classes() DoS (CVE-2010-0421)
Summary: <x11-libs/pango-1.27.1: hb_ot_layout_build_glyph_classes() DoS (CVE-2010-0421)
Status: RESOLVED FIXED
Alias: CVE-2010-0421
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://ftp.gnome.org/pub/GNOME/source...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-04-06 03:24 UTC by Stefan Behte (RETIRED)
Modified: 2010-11-21 16:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2010-04-06 03:24:19 UTC 
CVE-2010-0421 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0421):
  Array index error in the hb_ot_layout_build_glyph_classes function in
  pango/opentype/hb-ot-layout.cc in Pango before 1.27.1 allows
  context-dependent attackers to cause a denial of service (application
  crash) via a crafted font file, related to building a synthetic Glyph
  Definition (aka GDEF) table by using this font's charmap and the
  Unicode property database.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-11 13:42:18 UTC 
gnome herd, please provide an updated ebuild.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-11 14:02:27 UTC 
CVE-2010-0421 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0421):
  Array index error in the hb_ot_layout_build_glyph_classes function in
  pango/opentype/hb-ot-layout.cc in Pango before 1.27.1 allows
  context-dependent attackers to cause a denial of service (application
  crash) via a crafted font file, related to building a synthetic Glyph
  Definition (aka GDEF) table by using this font's charmap and the
  Unicode property database.
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-05-31 15:47:51 UTC 
ping?
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2010-09-22 19:59:40 UTC 
Looks like pango-1.28.1 is in the tree and stabled on some archs due to bug #324077. Arches, please test and mark x11-libs/pango-1.28.1 stable.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2010-09-29 21:04:35 UTC 
*ping*
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2010-10-02 15:30:34 UTC 
Stable on alpha.
Comment 7 Samuli Suominen (RETIRED) gentoo-dev 2010-10-07 19:57:59 UTC 
ppc64 done (from bug 324077)
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2010-10-09 16:41:28 UTC 
arm/ia64/s390/sh/sparc stable
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2010-11-20 23:11:54 UTC 
GLSA Vote: No.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2010-11-21 16:28:50 UTC 
Vote: NO, closing noglsa.