pango1.0: CVE-2019-1010238

Debian Bug report logs - #933860
pango1.0: CVE-2019-1010238

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: pango1.0: CVE-2019-1010238

Date: Sun, 04 Aug 2019 15:53:28 +0200

Source: pango1.0
Version: 1.42.4-6
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/pango/issues/342

Hi,

The following vulnerability was published for pango1.0.

CVE-2019-1010238[0]:
| Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact
| is: The heap based buffer overflow can be used to get code execution.
| The component is: function name: pango_log2vis_get_embedding_levels,
| assignment of nchars and the loop condition. The attack vector is: Bug
| can be used when application pass invalid utf-8 strings to functions
| like pango_itemize.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-1010238
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010238
[1] https://gitlab.gnome.org/GNOME/pango/issues/342
[2] https://gitlab.gnome.org/GNOME/pango/commit/490f8979a260c16b1df055eab386345da18a2d54

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #8 received at 933860-submitter@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <noreply@salsa.debian.org>

To: 933860-submitter@bugs.debian.org

Subject: Bug#933860 marked as pending in pango

Date: Sun, 04 Aug 2019 16:20:14 +0000

Control: tag -1 pending

Hello,

Bug #933860 in pango reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/gnome-team/pango/commit/04d20aec487a570bdca67edf9119d5a937bc7901

------------------------------------------------------------------------
CVE-2019-1010238: Fix heap overflow when acting on malformed UTF-8

Closes: #933860
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/933860

Message #15 received at 933860@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 933860@bugs.debian.org

Subject: Re: Bug#933860: pango1.0: CVE-2019-1010238

Date: Sun, 4 Aug 2019 17:27:34 +0100

Control: tags -1 + pending

On Sun, 04 Aug 2019 at 15:53:28 +0200, Salvatore Bonaccorso wrote:
> CVE-2019-1010238[0]:
> | Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact
> | is: The heap based buffer overflow can be used to get code execution.
> | The component is: function name: pango_log2vis_get_embedding_levels,
> | assignment of nchars and the loop condition. The attack vector is: Bug
> | can be used when application pass invalid utf-8 strings to functions
> | like pango_itemize.

The upstream bug is currently still marked as confidential, but is
accessible by GNOME members and contains a reproducer. Ubuntu appear to
have released the upstream patch as a fix, so hopefully that's valid; a
test-build of something functionally equivalent for sid is compiling now.

Do I assume correctly from the 'important' severity that the security team
do not intend to release a DSA for this?

For buster (either via a DSA or a point release), the solution will
presumably be a 1.42.4-7~deb10u1 or 1.42.4-6+deb10u1 that is equivalent to
what I'm now testing, but with the changelog and debian/gbp.conf adjusted
appropriately for buster.

> Please adjust the affected versions in the BTS as needed.

I'll check the upstream reproducer against stretch (and jessie for the
LTS people's benefit) soon.

    smcv

Message #20 received at 933860@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 933860@bugs.debian.org

Subject: Re: Bug#933860: pango1.0: CVE-2019-1010238

Date: Sun, 4 Aug 2019 17:48:38 +0100

On Sun, 04 Aug 2019 at 17:27:34 +0100, Simon McVittie wrote:
> On Sun, 04 Aug 2019 at 15:53:28 +0200, Salvatore Bonaccorso wrote:
> > Please adjust the affected versions in the BTS as needed.
> 
> I'll check the upstream reproducer against stretch (and jessie for the
> LTS people's benefit) soon.

The reproducer provided on the embargoed upstream bug would seem to
indicate that stretch and jessie are not affected.

Ubuntu 18.04 'xenial' is also shipping pango1.0 1.40.x (although a
later release than the one in stretch), and Ubuntu have not patched that
version for this CVE.

    smcv

Message #25 received at 933860-close@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 933860-close@bugs.debian.org

Subject: Bug#933860: fixed in pango1.0 1.42.4-7

Date: Sun, 04 Aug 2019 17:08:00 +0000

Source: pango1.0
Source-Version: 1.42.4-7

We believe that the bug you reported is fixed in the latest version of
pango1.0, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 933860@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated pango1.0 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 04 Aug 2019 17:20:47 +0100
Source: pango1.0
Architecture: source
Version: 1.42.4-7
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 933860
Changes:
 pango1.0 (1.42.4-7) unstable; urgency=medium
 .
   * Team upload
   * d/p/bidi-Be-safer-against-bad-input.patch:
     Fix heap overflow when acting on malformed UTF-8.
     (Closes: #933860; CVE-2019-1010238)
Checksums-Sha1:
 7d05b81d67ead058dd668813e1f915afc400ff01 3409 pango1.0_1.42.4-7.dsc
 9158828643f476ea340d333dc8feb42fe3f246ce 50436 pango1.0_1.42.4-7.debian.tar.xz
 5e5f5cad011a0e640ec606dc51a9235cfe036860 9616 pango1.0_1.42.4-7_source.buildinfo
Checksums-Sha256:
 93b67c2a98f7578917ff62f4a6ec25070b93ad4fee6d24d40664b7d59ce9ae8a 3409 pango1.0_1.42.4-7.dsc
 2249c275e24cb56fcd527eedfbd959d68bac06d85dde1bc41d90a05941db50d5 50436 pango1.0_1.42.4-7.debian.tar.xz
 128c3fc582c59fc55751bad116e57915a29c9c7be519e8505d945bd41460282e 9616 pango1.0_1.42.4-7_source.buildinfo
Files:
 f93efa944e8e53b3addf92caf1bba378 3409 libs optional pango1.0_1.42.4-7.dsc
 b40087c6b3dd5d5484e7e4d1dcfac290 50436 libs optional pango1.0_1.42.4-7.debian.tar.xz
 d85bea63d3447e0a799015a76f45cc51 9616 libs optional pango1.0_1.42.4-7_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAl1HDsoQHHNtY3ZAZGVi
aWFuLm9yZwAKCRDgWuFHj4FMT2V8EACueB1GIkPfCte7Ox4NM6yENJTxtPgzEdUE
d4FuGL3H0Hx2dv8TLOzZ6etrfJ/lVzBqRe0+70dUA4EgtLuy8vk6MFwcRaCo0xLp
bsTIaBniQ1AKsp87T6AsBsjHvrXhBtANYd6dHiYcLZpVnHFO19b7Wb25QiS3Btcq
FGUmY3in4csu1NXwVczzeDIjEKos+g6BBS62hoPaTc2k/LPBkILNJyebPN70Y586
Q5ydtGhkARgfixcxhBGgreNUFT0DxkYFAaGSS6SoDIdu0Z26S+VMZZbDSfm93bYq
BQYeUdHnWrRPYtYUY7Ndxmi51Yz3DfIRX7GxYEtwX+m+MW7rZBsTcsHooyLtSMPL
E4rFn/PhrSPqnI3VFa/oBY9poW1mgo2INKkZ8Yox0jvJVCq5UayMoP7XdzjwUeGG
l51zwAxR6Z7Z3WkBb+GpDcUJjTAybtgR5L/e982gTTznEU+2XKhn0Qc0qBC6Xxts
m2tpf0FQ0rHFit5oe60iXh/nCLkWuoa/h6N5D2aI1+drsSsG4+gG+rwL3hs91mwI
+hJq0IK5eYO4DFRWLEZe8LL8cOd2p5hgj7UDFPfEcQurSfkmwR0rvytDk6eY33aj
IKsB/260Qv3DilvoA2rfiCxV5GXrP3j/LWV5pI4Xo+N/3T8IL0Qt6zslHnWIIQt8
br3EXteOOw==
=F029
-----END PGP SIGNATURE-----

Message #30 received at 933860@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Simon McVittie <smcv@debian.org>, 933860@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#933860: pango1.0: CVE-2019-1010238

Date: Sun, 4 Aug 2019 19:21:29 +0200

Hi Simon,

[Addint team@s.d.o to CC]

On Sun, Aug 04, 2019 at 05:48:38PM +0100, Simon McVittie wrote:
> On Sun, 04 Aug 2019 at 17:27:34 +0100, Simon McVittie wrote:
> > On Sun, 04 Aug 2019 at 15:53:28 +0200, Salvatore Bonaccorso wrote:
> > > Please adjust the affected versions in the BTS as needed.
> > 
> > I'll check the upstream reproducer against stretch (and jessie for the
> > LTS people's benefit) soon.
> 
> The reproducer provided on the embargoed upstream bug would seem to
> indicate that stretch and jessie are not affected.
> 
> Ubuntu 18.04 'xenial' is also shipping pango1.0 1.40.x (although a
> later release than the one in stretch), and Ubuntu have not patched that
> version for this CVE.

Okay. Is there some indication which upstream code change introduced
hte issue so we can try to narrow this down?

Re the no-dsa/dsa question, the added severity does not necessarly
imply that, actually to be on safe side I should have choosen grave
(which then can be lowered if not appropriate). The problem was simply
I cannot determine good enough the impact and exploiting/attack
scenarios.

Does the upstream bug give more details which can help on that?

That a reproducer might not trigger and the loop part is missing might
still not guarantee us that the issue is not present. As said I have
not enough insight here. But the question was as well raised by
Leonidas S. Barbosa from Ubuntu (but guess without recieving a reply)
in https://gitlab.gnome.org/GNOME/pango/commit/490f8979a260c16b1df055eab386345da18a2d54#note_563576

Thanks for having done already the fix for unstable!

Regards,
Salvatore

Message #35 received at 933860@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 933860@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#933860: pango1.0: CVE-2019-1010238

Date: Sun, 4 Aug 2019 19:05:42 +0100

https://gitlab.gnome.org/GNOME/pango/issues/342 has now been unembargoed.

On Sun, 04 Aug 2019 at 19:21:29 +0200, Salvatore Bonaccorso wrote:
> Is there some indication which upstream code change introduced
> hte issue so we can try to narrow this down?

Not as far as I can see, but I am not a Pango expert. Perhaps someone
else in the GNOME team has some insight here?

> Re the no-dsa/dsa question, the added severity does not necessarly
> imply that, actually to be on safe side I should have choosen grave
> (which then can be lowered if not appropriate). The problem was simply
> I cannot determine good enough the impact and exploiting/attack
> scenarios.
> 
> Does the upstream bug give more details which can help on that?

The upstream bug reporter writes:

    [The segfault] happens because g_utf8_strlen("\xf8")
    is zero, so n_chars will be zero at this point:
    https://gitlab.gnome.org/GNOME/pango/blob/eb2c647ff693bf3218fd1772f11a008bfbc975e7/pango/pango-bidi-type.c#L173

    But because length = 1, the loop at
    https://gitlab.gnome.org/GNOME/pango/blob/eb2c647ff693bf3218fd1772f11a008bfbc975e7/pango/pango-bidi-type.c#L181
    still executes at least one time, leading to a NULL pointer
    dereference (g_new(.., 0) = NULL)).

    In general, this issue leads to an out-of-bounds heap write and can
    be triggered via pango_itemize if the bytes passed to pango_itemize
    are user-controlled.

I hope that's helpful.

Sorry, I don't know enough about Pango to know whether it's reasonable
to pass malformed UTF-8 to pango_itemize(), or whether this can happen in
practice in (for example) web browsers.

    smcv

Send a report that this bug log contains spam.