Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 496887 - (CVE-2009-1194) CVE-2009-1194 pango: pango_glyph_string_set_size integer overflow
CVE-2009-1194 pango: pango_glyph_string_set_size integer overflow
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
source=vendorsec,reported=20090413,pu...
: Security
Depends On: 497357 497358 497359 497360 497361 497362 497363 502582
Blocks:
  Show dependency treegraph
 
Reported: 2009-04-21 10:49 EDT by Tomas Hoger
Modified: 2016-03-04 06:56 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-02-23 04:52:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:0476 normal SHIPPED_LIVE Important: pango security update 2009-05-08 05:25:56 EDT

  None (edit)
Description Tomas Hoger 2009-04-21 10:49:06 EDT 
Will Drewry reported an integer overflow flaw in pango's pango_glyph_string_set_size in pango/glyphstring.c:

 61   while (new_len > string->space)
 62     {
 63       if (string->space == 0)
 64         string->space = 1;
 65       else
 66         string->space *= 2;
 67 
 68       if (string->space < 0)
 69         {
 70           g_warning ("glyph string length overflows maximum integer size, truncated");
 71           new_len = string->space = G_MAXINT - 8;
 72         }
 73     }
 74 
 75   string->glyphs = g_realloc (string->glyphs, string->space * sizeof (PangoGlyphInfo));

string->space is checked against overflow when doubling it, but is not protected against overflow when multiplied by sizeof(PangoGlyphInfo).

Upstream fix:
http://github.com/bratsche/pango/commit/4de30e5500eaeb49f4bf0b7a07f718e149a2ed5e

Acknowledgements:

Red Hat would like to thank Will Drewry for reporting this issue.
Comment 1 Tomas Hoger 2009-04-21 10:50:09 EDT 
According to Will's findings, this overflow can be triggered by malicious JavaScript via Firefox / Seamonkey:
  https://bugzilla.mozilla.org/show_bug.cgi?id=480134
Comment 12 Vincent Danen 2009-05-07 14:11:41 EDT 
Embargo has been lifted.
Comment 14 errata-xmlrpc 2009-05-08 05:26:00 EDT 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 3

Via RHSA-2009:0476 https://rhn.redhat.com/errata/RHSA-2009-0476.html
Comment 15 Jan Lieskovsky 2009-05-11 12:23:10 EDT 
Common Vulnerabilities and Exposures's CVE-2009-1194 entry:

Integer overflow in the pango_glyph_string_set_size function in
pango/glyphstring.c in Pango before 1.24 allows context-dependent
attackers to cause a denial of service (application crash) or possibly
execute arbitrary code via a long glyph string that triggers a
heap-based buffer overflow, as demonstrated by a long
document.location value in Firefox. 

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1194
http://www.openwall.com/lists/oss-security/2009/05/07/1
http://www.ocert.org/advisories/ocert-2009-001.html
http://github.com/bratsche/pango/commit/4de30e5500eaeb49f4bf0b7a07f718e149a2ed5e
https://bugzilla.mozilla.org/show_bug.cgi?id=480134
https://launchpad.net/bugs/cve/2009-1194
http://www.ubuntu.com/usn/USN-773-1
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.