CVE-2011-0020: heap corruption in libpango

Debian Bug report logs - #610792
CVE-2011-0020: heap corruption in libpango

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2011-0020: heap corruption in libpango

Date: Sat, 22 Jan 2011 15:32:39 +0100

Package: pango1.0
Severity: grave
Tags: security

Discovered by Dan Rosenberg an posted to oss-security:

"When used with FreeType2 as a backend, Pango is vulnerable to heap
corruption when rendering malformed fonts. The vulnerability occurs in
pango_ft2_font_render_box_glyph() in pango/pangoft2-render.c. A buffer
is malloc'd with size box->bitmap.rows * box->bitmap.pitch.
Subsequently, 0xff is written at offsets into this buffer without
checking that these offsets fall within the buffer's boundaries,
leading to heap corruption."

-Dan

[1] https://bugs.launchpad.net/ubuntu/+source/pango1.0/+bug/696616

-- System Information:
Debian Release: 6.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Message #10 received at 610792@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: "Moritz Muehlenhoff" <jmm@debian.org>, 610792@bugs.debian.org

Subject: Re: Bug#610792: CVE-2011-0020: heap corruption in libpango

Date: Sat, 22 Jan 2011 23:07:59 -0000

user release.debian.org@packages.debian.org
usertag 610792 + squeeze-can-defer
tag 610792 + squeeze-ignore
thanks

On Sat, January 22, 2011 14:32, Moritz Muehlenhoff wrote:
> Package: pango1.0
> Severity: grave
> Tags: security
>
> Discovered by Dan Rosenberg an posted to oss-security:
>
> "When used with FreeType2 as a backend, Pango is vulnerable to heap
> corruption when rendering malformed fonts. The vulnerability occurs in
> pango_ft2_font_render_box_glyph() in pango/pangoft2-render.c. A buffer
> is malloc'd with size box->bitmap.rows * box->bitmap.pitch.
> Subsequently, 0xff is written at offsets into this buffer without
> checking that these offsets fall within the buffer's boundaries,
> leading to heap corruption."

This can be fixed via a security update after the release if required;
tagging as not a blocker for 6.0.0.

Regards,

Adam

Message #19 received at 610792-close@bugs.debian.org (full text, mbox, reply):

From: Josselin Mouette <joss@debian.org>

To: 610792-close@bugs.debian.org

Subject: Bug#610792: fixed in pango1.0 1.28.3-1+squeeze1

Date: Mon, 24 Jan 2011 22:05:04 +0000

Source: pango1.0
Source-Version: 1.28.3-1+squeeze1

We believe that the bug you reported is fixed in the latest version of
pango1.0, which is due to be installed in the Debian FTP archive:

libpango1.0-0-dbg_1.28.3-1+squeeze1_amd64.deb
  to main/p/pango1.0/libpango1.0-0-dbg_1.28.3-1+squeeze1_amd64.deb
libpango1.0-0_1.28.3-1+squeeze1_amd64.deb
  to main/p/pango1.0/libpango1.0-0_1.28.3-1+squeeze1_amd64.deb
libpango1.0-common_1.28.3-1+squeeze1_all.deb
  to main/p/pango1.0/libpango1.0-common_1.28.3-1+squeeze1_all.deb
libpango1.0-dev_1.28.3-1+squeeze1_amd64.deb
  to main/p/pango1.0/libpango1.0-dev_1.28.3-1+squeeze1_amd64.deb
libpango1.0-doc_1.28.3-1+squeeze1_all.deb
  to main/p/pango1.0/libpango1.0-doc_1.28.3-1+squeeze1_all.deb
libpango1.0-udeb_1.28.3-1+squeeze1_amd64.udeb
  to main/p/pango1.0/libpango1.0-udeb_1.28.3-1+squeeze1_amd64.udeb
pango1.0_1.28.3-1+squeeze1.diff.gz
  to main/p/pango1.0/pango1.0_1.28.3-1+squeeze1.diff.gz
pango1.0_1.28.3-1+squeeze1.dsc
  to main/p/pango1.0/pango1.0_1.28.3-1+squeeze1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 610792@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Josselin Mouette <joss@debian.org> (supplier of updated pango1.0 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 24 Jan 2011 21:39:46 +0100
Source: pango1.0
Binary: libpango1.0-0 libpango1.0-udeb libpango1.0-common libpango1.0-dev libpango1.0-0-dbg libpango1.0-doc
Architecture: source all amd64
Version: 1.28.3-1+squeeze1
Distribution: unstable
Urgency: low
Maintainer: Sebastien Bacher <seb128@debian.org>
Changed-By: Josselin Mouette <joss@debian.org>
Description: 
 libpango1.0-0 - Layout and rendering of internationalized text
 libpango1.0-0-dbg - The Pango library and debugging symbols
 libpango1.0-common - Modules and configuration files for the Pango
 libpango1.0-dev - Development files for the Pango
 libpango1.0-doc - Documentation files for the Pango
 libpango1.0-udeb - Layout and rendering of internationalized text - minimal runtime (udeb)
Closes: 610792
Changes: 
 pango1.0 (1.28.3-1+squeeze1) unstable; urgency=low
 .
   * 01_CVE-2011-0020.patch: patch from Behdad Esfahbod to fix heap
     corruption. Closes: #610792, CVE-2011-0020. LP: #696616.
Checksums-Sha1: 
 324783198df78ca9fe4c08f2656ee098d4568c78 1700 pango1.0_1.28.3-1+squeeze1.dsc
 1e9d6717b7943610564a4406408085f0a703772f 36852 pango1.0_1.28.3-1+squeeze1.diff.gz
 24e8a62654b2d8208c61ba1641d7dcba9982cd06 114342 libpango1.0-common_1.28.3-1+squeeze1_all.deb
 dfaac3510e0fecc593490b394bf24d971bec760e 343336 libpango1.0-doc_1.28.3-1+squeeze1_all.deb
 0aaaceff2758197cccbc0b73c458c4e1dcfcc509 332262 libpango1.0-0_1.28.3-1+squeeze1_amd64.deb
 ce51f8241f01a1ce912ae3290ca41e33ceb9c2d5 304844 libpango1.0-udeb_1.28.3-1+squeeze1_amd64.udeb
 dbf6d7f71112321a448c7034c48a73f634dc8a76 420230 libpango1.0-dev_1.28.3-1+squeeze1_amd64.deb
 661d0742d1a0472eb5367dafc1203adeaaa18dcc 866516 libpango1.0-0-dbg_1.28.3-1+squeeze1_amd64.deb
Checksums-Sha256: 
 f7baa2c484b75ddaf4f4119c7c783faa2760100c604e823fdc01badabe469ac0 1700 pango1.0_1.28.3-1+squeeze1.dsc
 68c8549874bed2298a5ab9a32e67f4412d1891f430d4fb4c9eb369df47713887 36852 pango1.0_1.28.3-1+squeeze1.diff.gz
 fa41c19b6692bb5e81ee6ded4acbf28e4e628a0f4bf15e33466cfaa4c61f4816 114342 libpango1.0-common_1.28.3-1+squeeze1_all.deb
 ebfcfd9d02d27fd71fe598c188c679dd16ffc5d74b756ff07b182f177fe4d25d 343336 libpango1.0-doc_1.28.3-1+squeeze1_all.deb
 709250dfd6d971d069592ad42b85c42109b05c7465ef4103d61b500ffa812333 332262 libpango1.0-0_1.28.3-1+squeeze1_amd64.deb
 808d4b340517086276f4885f61cc19979a40b67c698fb8cfad5475f49906ca78 304844 libpango1.0-udeb_1.28.3-1+squeeze1_amd64.udeb
 df61cc6d59b8a5e78ed1a852ede4731c50c539f5e02708cc810be70916bb180b 420230 libpango1.0-dev_1.28.3-1+squeeze1_amd64.deb
 c6b8854ba3815e70da9f853543393741f4b75aa41e079fb65293356b38ae6e54 866516 libpango1.0-0-dbg_1.28.3-1+squeeze1_amd64.deb
Files: 
 a1b8764b64a53a5510f241788e86ae3b 1700 libs optional pango1.0_1.28.3-1+squeeze1.dsc
 402929441520f56355f69e7f86dd3c5a 36852 libs optional pango1.0_1.28.3-1+squeeze1.diff.gz
 bf1dad61d2578020ebe6db0e2685739d 114342 misc optional libpango1.0-common_1.28.3-1+squeeze1_all.deb
 dfdc0d81f4100a8d514568cd9149d978 343336 doc optional libpango1.0-doc_1.28.3-1+squeeze1_all.deb
 91519ae1b049d7b633df5affd5bc9d38 332262 libs optional libpango1.0-0_1.28.3-1+squeeze1_amd64.deb
 20159696a494e329d962a0652d1027d3 304844 debian-installer optional libpango1.0-udeb_1.28.3-1+squeeze1_amd64.udeb
 3af39b058215a2d07966747c20233fe2 420230 libdevel optional libpango1.0-dev_1.28.3-1+squeeze1_amd64.deb
 ba427d06adf0311e1aa2be917569f1c4 866516 debug extra libpango1.0-0-dbg_1.28.3-1+squeeze1_amd64.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFNPfR9rSla4ddfhTMRAkvOAKDgsCdbGiAPPl5HP7Wg+2iVq8+wzgCgux/A
VXbDYaM4PDHHBBLjC0qVwIM=
=T0jH
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.