Bug 496887 (CVE-2009-1194)

Summary: CVE-2009-1194 pango: pango_glyph_string_set_size integer overflow
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: behdad, bressers, jlieskov, kreilly, mbarnes, mjc, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-02-23 09:52:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 497357, 497358, 497359, 497360, 497361, 497362, 497363, 502582    
Bug Blocks:    

Description Tomas Hoger 2009-04-21 14:49:06 UTC 
Will Drewry reported an integer overflow flaw in pango's pango_glyph_string_set_size in pango/glyphstring.c:

 61   while (new_len > string->space)
 62     {
 63       if (string->space == 0)
 64         string->space = 1;
 65       else
 66         string->space *= 2;
 67 
 68       if (string->space < 0)
 69         {
 70           g_warning ("glyph string length overflows maximum integer size, truncated");
 71           new_len = string->space = G_MAXINT - 8;
 72         }
 73     }
 74 
 75   string->glyphs = g_realloc (string->glyphs, string->space * sizeof (PangoGlyphInfo));

string->space is checked against overflow when doubling it, but is not protected against overflow when multiplied by sizeof(PangoGlyphInfo).

Upstream fix:
http://github.com/bratsche/pango/commit/4de30e5500eaeb49f4bf0b7a07f718e149a2ed5e

Acknowledgements:

Red Hat would like to thank Will Drewry for reporting this issue.
Comment 1 Tomas Hoger 2009-04-21 14:50:09 UTC 
According to Will's findings, this overflow can be triggered by malicious JavaScript via Firefox / Seamonkey:
  https://bugzilla.mozilla.org/show_bug.cgi?id=480134
Comment 12 Vincent Danen 2009-05-07 18:11:41 UTC 
Embargo has been lifted.
Comment 14 errata-xmlrpc 2009-05-08 09:26:00 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 3

Via RHSA-2009:0476 https://rhn.redhat.com/errata/RHSA-2009-0476.html
Comment 15 Jan Lieskovsky 2009-05-11 16:23:10 UTC 
Common Vulnerabilities and Exposures's CVE-2009-1194 entry:

Integer overflow in the pango_glyph_string_set_size function in
pango/glyphstring.c in Pango before 1.24 allows context-dependent
attackers to cause a denial of service (application crash) or possibly
execute arbitrary code via a long glyph string that triggers a
heap-based buffer overflow, as demonstrated by a long
document.location value in Firefox. 

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1194
http://www.openwall.com/lists/oss-security/2009/05/07/1
http://www.ocert.org/advisories/ocert-2009-001.html
http://github.com/bratsche/pango/commit/4de30e5500eaeb49f4bf0b7a07f718e149a2ed5e
https://bugzilla.mozilla.org/show_bug.cgi?id=480134
https://launchpad.net/bugs/cve/2009-1194
http://www.ubuntu.com/usn/USN-773-1