Pango Integer Overflow in pango_glyph_string_set_size() May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1022196|
SecurityTracker URL: http://securitytracker.com/id/1022196
(Links to External Site)
Date: May 8 2009
Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): prior to 1.24|
A vulnerability was reported in Pango. A remote user can cause arbitrary code to be executed on the target user's system.|
A remote user can create specially crafted content that, when processed by the Pango library, will trigger an integer overflow in the pango_glyph_string_set_size() function and potentially execute arbitrary code on the target system. The code will run with the privileges of the target application using the Pango library.
The vendor was notified on February 22, 2009.
Will Drewry of the oCERT Team and the Google Security Team reported this vulnerability.
The original advisory is available at:
A remote user can create content that, when processed by the target application, will execute arbitrary code on the target system.|
The vendor has issued a fix (1.24), available at:|
Vendor URL: www.pango.org/ (Links to External Site)
|Underlying OS: Linux (Any), UNIX (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: [oCERT-2009-001] Pango integer overflow in heap allocation size|
#2009-001 Pango integer overflow in heap allocation size calculations
Pango is a library for laying out and rendering text, with an emphasis
on internationalization. Pango suffers from a multiplicative integer
overflow which may lead to a potentially exploitable, heap overflow
depending on the calling conditions. For example, this vulnerability is
remotely reachable in Firefox by creating an overly large
document.location value but only results in a process-terminating,
allocation error (denial of service).
The affected function is pango_glyph_string_set_size. An overflow check
when doubling the size neglects the overflow possible on the subsequent
string->glyphs = g_realloc (string->glyphs, string->space *
Note that other font rendering subsystems suffer from similar issues and
should be cross-checked by maintainers.
Pango < 1.24
Pango >= 1.24
(check with your package maintainer for backports)
Credit: Will Drewry, oCERT Team | Google Security Team.
Special thanks to Karl Tomlinson for extended analysis of the
impact on Firefox.
2009-02-22: attempted to contact upstream via email@example.com
2009-02-25: bug filed with Mozilla against firefox
2009-03-02: Behdad Esfahbod patched Pango upstream for 1.24
2009-04-13: vendor-sec alerted regarding backporting the silent pango fix
2009-04-23: embargo date and CVE assigned (thanks Josh Bressers!)
2009-05-07: advisory released
Will Drewry <firstname.lastname@example.org>
oCERT Team :: http://ocert.org