Bug 671122 (CVE-2011-0020)

Summary: CVE-2011-0020 pango: Heap-based buffer overflow by rendering glyph box for certain FT_Bitmap objects
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: behdad, bressers, fonts-bugs, mclasen, wnefal+redhatbugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
See Also: https://bugzilla.gnome.org/show_bug.cgi?id=639882
Whiteboard: public=20110118,reported=20110118,source=oss-security,impact=moderate,cvss2=5.1/AV:N/AC:H/Au:N/C:P/I:P/A:P/,rhel-5/pango=affected,rhel-6/pango=affected,fedora-all/pango=affected/cvss2=5.1/AV:N/AC:H/Au:N/C:P/I:P/A:P,rhel-4/pango=notaffected,rhel-4/evolution28-pango=affected,cwe=CWE-122[auto]
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-26 17:12:36 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 671123, 671527, 671528, 671529, 671530, 671531, 671532, 833949    
Bug Blocks:    

Description Jan Lieskovsky 2011-01-20 07:57:57 EST
A heap-based buffer overflow, leading to array index error was found
in the way the Pango font rendering library rendered glyph box for
certain FT_Bitmap objects, when the FreeType2 Pango back end was used
for rendering. If an attacker created a specially-crafted font file 
and tricked a local, unsuspecting user into loading the font file 
in an application that uses the Pango font rendering library and FreeType2
Pango back end was used for rendering, it could cause that application 
to crash or, potentially, execute arbitrary code with the privileges
of the user running the application.

References:
[1] https://bugs.launchpad.net/ubuntu/+source/pango1.0/+bug/696616

CVE Request:
[2] http://www.openwall.com/lists/oss-security/2011/01/18/6

Public PoC:
[3] https://bugs.launchpad.net/ubuntu/+source/pango1.0/+bug/696616/comments/1
    (malicious font)
[4] https://bugs.launchpad.net/ubuntu/+source/pango1.0/+bug/696616/comments/2
    (sample text file to trigger the crash)
Comment 2 Jan Lieskovsky 2011-01-20 08:01:33 EST
Created pango tracking bugs for this issue

Affects: fedora-all [bug 671123]
Comment 4 Huzaifa S. Sidhpurwala 2011-01-21 01:03:10 EST
This has been assigned CVE-2011-0020
Comment 5 Josh Bressers 2011-01-21 13:42:03 EST
This flaw does not affect RHEL4. The code in question does not exist in that version of Pango.

This flaw should affect evolution28-pango on RHEL4 and pango on RHEL 5 and RHEL 6. The public reproducer does not work, as a different codepath is exercised than on systems that crash, but the faulty arithmetic is there. There are many possible codepaths that can exercise this bug.
Comment 6 Josh Bressers 2011-01-21 13:43:17 EST
I've looked over how pango is used in Red Hat Enterprise Linux. I do not believe this poses a significant risk. Nothing that uses pango for layout will accept arbitrary font input. Since this bug needs a malformed font, user interaction will be needed to exploit this flaw.
Comment 9 Josh Bressers 2011-01-21 13:53:34 EST
Created pango tracking bugs for this issue

Affects: fedora-all [bug 671123]
Comment 10 Behdad Esfahbod 2011-01-21 14:36:58 EST
Also note that no one uses the PangoFT2 fontmap, except for maybe the GIMP and possibly old Inkscape.  It's NOT used in GTK+ rendering or Firefox, etc.
Comment 11 Josh Bressers 2011-01-21 16:34:23 EST
The upstream bug has a patch. I'm testing it now.
Comment 12 errata-xmlrpc 2011-01-27 13:36:41 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.6.Z
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 6

Via RHSA-2011:0180 https://rhn.redhat.com/errata/RHSA-2011-0180.html