Bug 496887 (CVE-2009-1194)
| Summary: | CVE-2009-1194 pango: pango_glyph_string_set_size integer overflow | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | behdad, bressers, jlieskov, kreilly, mbarnes, mjc, vdanen |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-02-23 09:52:45 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 497357, 497358, 497359, 497360, 497361, 497362, 497363, 502582 | ||
| Bug Blocks: | |||
According to Will's findings, this overflow can be triggered by malicious JavaScript via Firefox / Seamonkey: https://bugzilla.mozilla.org/show_bug.cgi?id=480134 Embargo has been lifted. This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 3 Via RHSA-2009:0476 https://rhn.redhat.com/errata/RHSA-2009-0476.html Common Vulnerabilities and Exposures's CVE-2009-1194 entry: Integer overflow in the pango_glyph_string_set_size function in pango/glyphstring.c in Pango before 1.24 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long glyph string that triggers a heap-based buffer overflow, as demonstrated by a long document.location value in Firefox. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1194 http://www.openwall.com/lists/oss-security/2009/05/07/1 http://www.ocert.org/advisories/ocert-2009-001.html http://github.com/bratsche/pango/commit/4de30e5500eaeb49f4bf0b7a07f718e149a2ed5e https://bugzilla.mozilla.org/show_bug.cgi?id=480134 https://launchpad.net/bugs/cve/2009-1194 http://www.ubuntu.com/usn/USN-773-1 |
Will Drewry reported an integer overflow flaw in pango's pango_glyph_string_set_size in pango/glyphstring.c: 61 while (new_len > string->space) 62 { 63 if (string->space == 0) 64 string->space = 1; 65 else 66 string->space *= 2; 67 68 if (string->space < 0) 69 { 70 g_warning ("glyph string length overflows maximum integer size, truncated"); 71 new_len = string->space = G_MAXINT - 8; 72 } 73 } 74 75 string->glyphs = g_realloc (string->glyphs, string->space * sizeof (PangoGlyphInfo)); string->space is checked against overflow when doubling it, but is not protected against overflow when multiplied by sizeof(PangoGlyphInfo). Upstream fix: http://github.com/bratsche/pango/commit/4de30e5500eaeb49f4bf0b7a07f718e149a2ed5e Acknowledgements: Red Hat would like to thank Will Drewry for reporting this issue.