SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Pango Vendors:   pango.org
Pango Integer Overflow in pango_glyph_string_set_size() May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1022196
SecurityTracker URL:  http://securitytracker.com/id/1022196
CVE Reference:   CVE-2009-1194   (Links to External Site)
Date:  May 8 2009
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 1.24
Description:   A vulnerability was reported in Pango. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create specially crafted content that, when processed by the Pango library, will trigger an integer overflow in the pango_glyph_string_set_size() function and potentially execute arbitrary code on the target system. The code will run with the privileges of the target application using the Pango library.

The vendor was notified on February 22, 2009.

Will Drewry of the oCERT Team and the Google Security Team reported this vulnerability.

The original advisory is available at:

http://www.ocert.org/advisories/ocert-2009-001.html

Impact:   A remote user can create content that, when processed by the target application, will execute arbitrary code on the target system.
Solution:   The vendor has issued a fix (1.24), available at:

http://ftp.gnome.org/pub/GNOME/sources/pango/

Vendor URL:  www.pango.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
May 8 2009 (Red Hat Issues Fix) Pango Integer Overflow in pango_glyph_string_set_size() May Let Remote Users Execute Arbitrary Code
Red Hat has released a fix for Red Hat Enterprise Linux 3, 4, and 5.



 Source Message Contents

Subject:  [oCERT-2009-001] Pango integer overflow in heap allocation size

#2009-001 Pango integer overflow in heap allocation size calculations

Description:

Pango is a library for laying out and rendering text, with an emphasis
on internationalization.  Pango suffers from a multiplicative integer
overflow which may lead to a potentially exploitable, heap overflow
depending on the calling conditions.  For example, this vulnerability is
remotely reachable in Firefox by creating an overly large
document.location value but only results in a process-terminating,
allocation error (denial of service).

The affected function is pango_glyph_string_set_size. An overflow check
when doubling the size neglects the overflow possible on the subsequent
allocation:

  string->glyphs = g_realloc (string->glyphs, string->space *
                              sizeof (PangoGlyphInfo));

Note that other font rendering subsystems suffer from similar issues and
should be cross-checked by maintainers.


Affected version:

Pango < 1.24


Fixed version:

Pango >= 1.24
(check with your package maintainer for backports)


Credit: Will Drewry, oCERT Team | Google Security Team.
        Special thanks to Karl Tomlinson for extended analysis of the
        impact on Firefox.


CVE: CVE-2009-1194


Timeline:
2009-02-22: attempted to contact upstream via gtk-i18n-list@gnome.org
2009-02-25: bug filed with Mozilla against firefox
2009-03-02: Behdad Esfahbod patched Pango upstream for 1.24
2009-04-13: vendor-sec alerted regarding backporting the silent pango fix
2009-04-23: embargo date and CVE assigned (thanks Josh Bressers!)
2009-05-07: advisory released


References:
http://www.pango.org/
https://bugzilla.mozilla.org/show_bug.cgi?id=480134


Links:
http://www.mozilla.org/firefox


Permalink:
http://www.ocert.org/advisories/ocert-2009-001.html


--
Will Drewry <redpig@ocert.org>
oCERT Team :: http://ocert.org

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC