Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 357067 (CVE-2011-0064) - <x11-libs/pango-1.28.3-r1: missing memory reallocation failure checking in hb_buffer_ensure (CVE-2011-0064)
Summary: <x11-libs/pango-1.28.3-r1: missing memory reallocation failure checking in hb...
Alias: CVE-2011-0064
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa]
: 357781 (view as bug list)
Depends on: CVE-2011-0020
  Show dependency tree
Reported: 2011-03-02 07:55 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2014-05-17 19:31 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-02 07:55:28 UTC
It was discovered that pango did not check for memory reallocation failures in
hb_buffer_ensure() function.  This could trigger a NULL pointer dereference in
hb_buffer_add_glyph(), where possibly untrusted input is used as an index used
for accessing members of the incorrectly reallocated array, resulting in the
use of NULL address as the base array address.  This can result in application
crash or, possibly, code execution.

It was demonstrated that it's possible to trigger this flaw in Firefox via a
specially crafted web page.

Mozilla bug report (currently not public):

Fix in the harfbuzz git:
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-02 07:57:13 UTC has links to some patches.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-03-12 17:17:18 UTC
*** Bug 357781 has been marked as a duplicate of this bug. ***
Comment 3 Pacho Ramos gentoo-dev 2011-03-12 18:18:21 UTC
+*pango-1.28.3-r1 (12 Mar 2011)
+  12 Mar 2011; Pacho Ramos <> -files/pango-1.2.5-lib64.patch,
+  -pango-1.24.5-r1.ebuild, -files/pango-1.26.0-introspection-automagic.patch,
+  -pango-1.26.2.ebuild, +pango-1.28.3-r1.ebuild,
+  +files/pango-1.28.3-heap-corruption.patch,
+  +files/pango-1.28.3-malloc-failure.patch:
+  Fix security issues: CVE-2011-0020 and CVE-2011-0064. Remove old.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:33:36 UTC
CVE-2011-0064 (
  The hb_buffer_ensure function in hb-buffer.c in HarfBuzz, as used in Pango
  1.28.3, Firefox, and other products, does not verify that memory
  reallocations succeed, which allows remote attackers to cause a denial of
  service (NULL pointer dereference and application crash) or possibly execute
  arbitrary code via crafted OpenType font data that triggers use of an
  incorrect index.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2014-05-17 19:31:48 UTC
This issue was resolved and addressed in
 GLSA 201405-13 at
by GLSA coordinator Sean Amoss (ackle).