Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

pango1.0: integer overflow in heap allocation size calculations

Related Vulnerabilities: CVE-2009-1194  

Source

Debian Bug report logs - #527474
pango1.0: integer overflow in heap allocation size calculations

version graph

Package: pango1.0; Maintainer for pango1.0 is Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>;

Reported by: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>

Date: Thu, 7 May 2009 19:54:01 UTC

Severity: grave

Tags: security

Fixed in version 1.24.0-2

Done: Steffen Joeris <steffen.joeris@skolelinux.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org:
Bug#527474; Package pango. (Thu, 07 May 2009 19:54:03 GMT) (full text, mbox, link).

Acknowledgement sent to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to unknown-package@qa.debian.org. (Thu, 07 May 2009 19:54:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Subject: pango1.0: integer overflow in heap allocation size calculations
Date: Thu, 7 May 2009 15:51:48 -0400
package: pango
severity: grave
tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for pango1.0.

CVE-2009-1194[0]:
|Pango is a library for laying out and rendering text, with an emphasis
|on internationalization.  Pango suffers from a multiplicative integer
|overflow which may lead to a potentially exploitable, heap overflow
|depending on the calling conditions.  For example, this vulnerability is
|remotely reachable in Firefox by creating an overly large
|document.location value but only results in a process-terminating,
|allocation error (denial of service).
|
|The affected function is pango_glyph_string_set_size. An overflow check
|when doubling the size neglects the overflow possible on the subsequent
|allocation:
|
|  string->glyphs = g_realloc (string->glyphs, string->space *
|                              sizeof (PangoGlyphInfo));
|
|Note that other font rendering subsystems suffer from similar issues and
|should be cross-checked by maintainers.

Please coordinate with the security team (team@security.debian.org)
to prepare updates for the stable releases.

See also see USN-773-1 [1].

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1194
    http://security-tracker.debian.net/tracker/CVE-2009-1194
[1] http://www.ubuntu.com/usn/USN-773-1

Bug reassigned from package `pango' to `pango1.0'. Request was from "Michael S. Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Thu, 07 May 2009 20:06:07 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Sebastien Bacher <seb128@debian.org>:
Bug#527474; Package pango1.0. (Fri, 08 May 2009 12:24:04 GMT) (full text, mbox, link).

Acknowledgement sent to Marc Deslauriers <marc.deslauriers@canonical.com>:
Extra info received and forwarded to list. Copy sent to Sebastien Bacher <seb128@debian.org>. (Fri, 08 May 2009 12:24:04 GMT) (full text, mbox, link).

Message #12 received at 527474@bugs.debian.org (full text, mbox, reply):

From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: 527474@bugs.debian.org
Subject: Re: pango1.0: integer overflow in heap allocation size calculations
Date: Fri, 08 May 2009 08:21:26 -0400
Here is the upstream commit:

http://git.gnome.org/cgit/pango/commit/?id=4de30e5500eaeb49f4bf0b7a07f718e149a2ed5e

Reply sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
You have taken responsibility. (Sun, 10 May 2009 15:27:03 GMT) (full text, mbox, link).

Notification sent to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Sun, 10 May 2009 15:27:06 GMT) (full text, mbox, link).

Message #17 received at 527474-done@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: 527474-done@bugs.debian.org
Subject: pango issue fixed in sid
Date: Mon, 11 May 2009 01:25:02 +1000
[Message part 1 (text/plain, inline)]
Version: 1.24.0-2

The bug has been fixed upstream and the fix made it into sid/squeeze.

Cheers
Steffen

[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 08 Jun 2009 07:39:47 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:41:36 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started