From the upstream bug at URL: As reported by Dan Rosenberg to Ubuntu in: https://bugs.launchpad.net/ubuntu/+source/pango1.0/+bug/696616 When used with FreeType2 as a backend, Pango is vulnerable to heap corruption when rendering malformed fonts. The vulnerability occurs in pango_ft2_font_render_box_glyph() in pango/pangoft2-render.c. A buffer is malloc'd with size box->bitmap.rows * box->bitmap.pitch. Subsequently, 0xff is written at offsets into this buffer without checking that these offsets fall within the buffer's boundaries, leading to heap corruption. I tested this against Lucid (Pango 1.28.0) and upstream (Pango 1.28.3). I've attached a fuzzed version of the FreeSerif TrueType font ("crash.ttf") that can be used to reproduce this corruption as follows, using the test-mixed.txt file included in the pango-view directory of the source tree (also attached): # cp /usr/share/fonts/truetype/freefont/FreeSerif.ttf /usr/share/fonts/truetype/freefont/FreeSerif.ttf.bak # cp crash.ttf /usr/share/fonts/truetype/freefont/FreeSerif.ttf # pango-view --backend=ft2 --font=FreeSerif test-mixed.txt *** glibc detected *** pango-view: malloc(): memory corruption: 0x000000000116cfa0 *** ======= Backtrace: ========= ...
Per http://www.openwall.com/lists/oss-security/2011/01/20/2 this has been assigned CVE-2011-0020.
+*pango-1.28.3-r1 (12 Mar 2011) + + 12 Mar 2011; Pacho Ramos <pacho@gentoo.org> -files/pango-1.2.5-lib64.patch, + -pango-1.24.5-r1.ebuild, -files/pango-1.26.0-introspection-automagic.patch, + -pango-1.26.2.ebuild, +pango-1.28.3-r1.ebuild, + +files/pango-1.28.3-heap-corruption.patch, + +files/pango-1.28.3-malloc-failure.patch: + Fix security issues: CVE-2011-0020 and CVE-2011-0064. Remove old. +
Thanks, Pacho. Arches, please test and mark stable: =x11-libs/pango-1.28.3-r1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Tested on SPARc, passed its tests. Could stabilise.
ppc/ppc64 stable
amd64 ok
x86 stable
Stable on alpha.
amd64 done. Thanks Agostino
Stable for HPPA.
arm/ia64/s390/sh/sparc stable
Thanks folks. Added existing GLSA request.
CVE-2011-0020 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0020): Heap-based buffer overflow in the pango_ft2_font_render_box_glyph function in pango/pangoft2-render.c in libpango in Pango 1.28.3 and earlier, when the FreeType2 backend is enabled, allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file, related to the glyph box for an FT_Bitmap object.
This issue was resolved and addressed in GLSA 201405-13 at http://security.gentoo.org/glsa/glsa-201405-13.xml by GLSA coordinator Sean Amoss (ackle).