A heap-based buffer overflow, leading to array index error was found in the way the Pango font rendering library rendered glyph box for certain FT_Bitmap objects, when the FreeType2 Pango back end was used for rendering. If an attacker created a specially-crafted font file and tricked a local, unsuspecting user into loading the font file in an application that uses the Pango font rendering library and FreeType2 Pango back end was used for rendering, it could cause that application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. References: [1] https://bugs.launchpad.net/ubuntu/+source/pango1.0/+bug/696616 CVE Request: [2] http://www.openwall.com/lists/oss-security/2011/01/18/6 Public PoC: [3] https://bugs.launchpad.net/ubuntu/+source/pango1.0/+bug/696616/comments/1 (malicious font) [4] https://bugs.launchpad.net/ubuntu/+source/pango1.0/+bug/696616/comments/2 (sample text file to trigger the crash)
Created pango tracking bugs for this issue Affects: fedora-all [bug 671123]
This has been assigned CVE-2011-0020
This flaw does not affect RHEL4. The code in question does not exist in that version of Pango. This flaw should affect evolution28-pango on RHEL4 and pango on RHEL 5 and RHEL 6. The public reproducer does not work, as a different codepath is exercised than on systems that crash, but the faulty arithmetic is there. There are many possible codepaths that can exercise this bug.
I've looked over how pango is used in Red Hat Enterprise Linux. I do not believe this poses a significant risk. Nothing that uses pango for layout will accept arbitrary font input. Since this bug needs a malformed font, user interaction will be needed to exploit this flaw.
Also note that no one uses the PangoFT2 fontmap, except for maybe the GIMP and possibly old Inkscape. It's NOT used in GTK+ rendering or Firefox, etc.
The upstream bug has a patch. I'm testing it now.
This issue has been addressed in following products: Red Hat Enterprise Linux 5.6.Z Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 6 Via RHSA-2011:0180 https://rhn.redhat.com/errata/RHSA-2011-0180.html