Bug 671122 (CVE-2011-0020) - CVE-2011-0020 pango: Heap-based buffer overflow by rendering glyph box for certain FT_Bitmap objects
Summary: CVE-2011-0020 pango: Heap-based buffer overflow by rendering glyph box for ce...
Status: CLOSED ERRATA
Alias: CVE-2011-0020
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20110118,reported=20110118,sou...
Keywords: Security
Depends On: 671123 671527 671528 671529 671530 671531 671532 833949
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-01-20 12:57 UTC by Jan Lieskovsky
Modified: 2019-06-08 18:43 UTC (History)
5 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2013-03-26 21:12:36 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0180 normal SHIPPED_LIVE Moderate: pango security update 2011-01-27 18:36:34 UTC
GNOME Bugzilla 639882 None None None Never

Description Jan Lieskovsky 2011-01-20 12:57:57 UTC
A heap-based buffer overflow, leading to array index error was found
in the way the Pango font rendering library rendered glyph box for
certain FT_Bitmap objects, when the FreeType2 Pango back end was used
for rendering. If an attacker created a specially-crafted font file 
and tricked a local, unsuspecting user into loading the font file 
in an application that uses the Pango font rendering library and FreeType2
Pango back end was used for rendering, it could cause that application 
to crash or, potentially, execute arbitrary code with the privileges
of the user running the application.

References:
[1] https://bugs.launchpad.net/ubuntu/+source/pango1.0/+bug/696616

CVE Request:
[2] http://www.openwall.com/lists/oss-security/2011/01/18/6

Public PoC:
[3] https://bugs.launchpad.net/ubuntu/+source/pango1.0/+bug/696616/comments/1
    (malicious font)
[4] https://bugs.launchpad.net/ubuntu/+source/pango1.0/+bug/696616/comments/2
    (sample text file to trigger the crash)

Comment 2 Jan Lieskovsky 2011-01-20 13:01:33 UTC
Created pango tracking bugs for this issue

Affects: fedora-all [bug 671123]

Comment 4 Huzaifa S. Sidhpurwala 2011-01-21 06:03:10 UTC
This has been assigned CVE-2011-0020

Comment 5 Josh Bressers 2011-01-21 18:42:03 UTC
This flaw does not affect RHEL4. The code in question does not exist in that version of Pango.

This flaw should affect evolution28-pango on RHEL4 and pango on RHEL 5 and RHEL 6. The public reproducer does not work, as a different codepath is exercised than on systems that crash, but the faulty arithmetic is there. There are many possible codepaths that can exercise this bug.

Comment 6 Josh Bressers 2011-01-21 18:43:17 UTC
I've looked over how pango is used in Red Hat Enterprise Linux. I do not believe this poses a significant risk. Nothing that uses pango for layout will accept arbitrary font input. Since this bug needs a malformed font, user interaction will be needed to exploit this flaw.

Comment 9 Josh Bressers 2011-01-21 18:53:34 UTC
Created pango tracking bugs for this issue

Affects: fedora-all [bug 671123]

Comment 10 Behdad Esfahbod 2011-01-21 19:36:58 UTC
Also note that no one uses the PangoFT2 fontmap, except for maybe the GIMP and possibly old Inkscape.  It's NOT used in GTK+ rendering or Firefox, etc.

Comment 11 Josh Bressers 2011-01-21 21:34:23 UTC
The upstream bug has a patch. I'm testing it now.

Comment 12 errata-xmlrpc 2011-01-27 18:36:41 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.6.Z
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 6

Via RHSA-2011:0180 https://rhn.redhat.com/errata/RHSA-2011-0180.html


Note You need to log in before you can comment on or make changes to this bug.