Debian Bug report logs -
#527474
pango1.0: integer overflow in heap allocation size calculations
Reported by: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
Date: Thu, 7 May 2009 19:54:01 UTC
Severity: grave
Tags: security
Fixed in version 1.24.0-2
Done: Steffen Joeris <steffen.joeris@skolelinux.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org
:
Bug#527474
; Package pango
.
(Thu, 07 May 2009 19:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
:
New Bug report received and forwarded. Copy sent to unknown-package@qa.debian.org
.
(Thu, 07 May 2009 19:54:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
package: pango
severity: grave
tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for pango1.0.
CVE-2009-1194[0]:
|Pango is a library for laying out and rendering text, with an emphasis
|on internationalization. Pango suffers from a multiplicative integer
|overflow which may lead to a potentially exploitable, heap overflow
|depending on the calling conditions. For example, this vulnerability is
|remotely reachable in Firefox by creating an overly large
|document.location value but only results in a process-terminating,
|allocation error (denial of service).
|
|The affected function is pango_glyph_string_set_size. An overflow check
|when doubling the size neglects the overflow possible on the subsequent
|allocation:
|
| string->glyphs = g_realloc (string->glyphs, string->space *
| sizeof (PangoGlyphInfo));
|
|Note that other font rendering subsystems suffer from similar issues and
|should be cross-checked by maintainers.
Please coordinate with the security team (team@security.debian.org)
to prepare updates for the stable releases.
See also see USN-773-1 [1].
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1194
http://security-tracker.debian.net/tracker/CVE-2009-1194
[1] http://www.ubuntu.com/usn/USN-773-1
Bug reassigned from package `pango' to `pango1.0'.
Request was from "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
to control@bugs.debian.org
.
(Thu, 07 May 2009 20:06:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Sebastien Bacher <seb128@debian.org>
:
Bug#527474
; Package pango1.0
.
(Fri, 08 May 2009 12:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Marc Deslauriers <marc.deslauriers@canonical.com>
:
Extra info received and forwarded to list. Copy sent to Sebastien Bacher <seb128@debian.org>
.
(Fri, 08 May 2009 12:24:04 GMT) (full text, mbox, link).
Message #12 received at 527474@bugs.debian.org (full text, mbox, reply):
Here is the upstream commit:
http://git.gnome.org/cgit/pango/commit/?id=4de30e5500eaeb49f4bf0b7a07f718e149a2ed5e
Reply sent
to Steffen Joeris <steffen.joeris@skolelinux.de>
:
You have taken responsibility.
(Sun, 10 May 2009 15:27:03 GMT) (full text, mbox, link).
Notification sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
:
Bug acknowledged by developer.
(Sun, 10 May 2009 15:27:06 GMT) (full text, mbox, link).
Message #17 received at 527474-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 1.24.0-2
The bug has been fixed upstream and the fix made it into sid/squeeze.
Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 08 Jun 2009 07:39:47 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:41:36 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.