Bug 496887 (CVE-2009-1194) - CVE-2009-1194 pango: pango_glyph_string_set_size integer overflow
Summary: CVE-2009-1194 pango: pango_glyph_string_set_size integer overflow
Status: CLOSED ERRATA
Alias: CVE-2009-1194
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: source=vendorsec,reported=20090413,pu...
Keywords: Security
Depends On: 497357 497358 497359 497360 497361 497362 497363 502582
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-04-21 14:49 UTC by Tomas Hoger
Modified: 2016-03-04 11:56 UTC (History)
7 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2011-02-23 09:52:45 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:0476 normal SHIPPED_LIVE Important: pango security update 2009-05-08 09:25:56 UTC

Description Tomas Hoger 2009-04-21 14:49:06 UTC
Will Drewry reported an integer overflow flaw in pango's pango_glyph_string_set_size in pango/glyphstring.c:

 61   while (new_len > string->space)
 62     {
 63       if (string->space == 0)
 64         string->space = 1;
 65       else
 66         string->space *= 2;
 67 
 68       if (string->space < 0)
 69         {
 70           g_warning ("glyph string length overflows maximum integer size, truncated");
 71           new_len = string->space = G_MAXINT - 8;
 72         }
 73     }
 74 
 75   string->glyphs = g_realloc (string->glyphs, string->space * sizeof (PangoGlyphInfo));

string->space is checked against overflow when doubling it, but is not protected against overflow when multiplied by sizeof(PangoGlyphInfo).

Upstream fix:
http://github.com/bratsche/pango/commit/4de30e5500eaeb49f4bf0b7a07f718e149a2ed5e

Acknowledgements:

Red Hat would like to thank Will Drewry for reporting this issue.

Comment 1 Tomas Hoger 2009-04-21 14:50:09 UTC
According to Will's findings, this overflow can be triggered by malicious JavaScript via Firefox / Seamonkey:
  https://bugzilla.mozilla.org/show_bug.cgi?id=480134

Comment 12 Vincent Danen 2009-05-07 18:11:41 UTC
Embargo has been lifted.

Comment 14 errata-xmlrpc 2009-05-08 09:26:00 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 3

Via RHSA-2009:0476 https://rhn.redhat.com/errata/RHSA-2009-0476.html

Comment 15 Jan Lieskovsky 2009-05-11 16:23:10 UTC
Common Vulnerabilities and Exposures's CVE-2009-1194 entry:

Integer overflow in the pango_glyph_string_set_size function in
pango/glyphstring.c in Pango before 1.24 allows context-dependent
attackers to cause a denial of service (application crash) or possibly
execute arbitrary code via a long glyph string that triggers a
heap-based buffer overflow, as demonstrated by a long
document.location value in Firefox. 

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1194
http://www.openwall.com/lists/oss-security/2009/05/07/1
http://www.ocert.org/advisories/ocert-2009-001.html
http://github.com/bratsche/pango/commit/4de30e5500eaeb49f4bf0b7a07f718e149a2ed5e
https://bugzilla.mozilla.org/show_bug.cgi?id=480134
https://launchpad.net/bugs/cve/2009-1194
http://www.ubuntu.com/usn/USN-773-1


Note You need to log in before you can comment on or make changes to this bug.