Bug 671122 - (CVE-2011-0020) CVE-2011-0020 pango: Heap-based buffer overflow by rendering glyph box for certain FT_Bitmap objects
CVE-2011-0020 pango: Heap-based buffer overflow by rendering glyph box for ce...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 671123 671527 671528 671529 671530 671531 671532 833949
  Show dependency treegraph
Reported: 2011-01-20 07:57 EST by Jan Lieskovsky
Modified: 2016-03-04 06:56 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-03-26 17:12:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2011-01-20 07:57:57 EST
A heap-based buffer overflow, leading to array index error was found
in the way the Pango font rendering library rendered glyph box for
certain FT_Bitmap objects, when the FreeType2 Pango back end was used
for rendering. If an attacker created a specially-crafted font file 
and tricked a local, unsuspecting user into loading the font file 
in an application that uses the Pango font rendering library and FreeType2
Pango back end was used for rendering, it could cause that application 
to crash or, potentially, execute arbitrary code with the privileges
of the user running the application.

[1] https://bugs.launchpad.net/ubuntu/+source/pango1.0/+bug/696616

CVE Request:
[2] http://www.openwall.com/lists/oss-security/2011/01/18/6

Public PoC:
[3] https://bugs.launchpad.net/ubuntu/+source/pango1.0/+bug/696616/comments/1
    (malicious font)
[4] https://bugs.launchpad.net/ubuntu/+source/pango1.0/+bug/696616/comments/2
    (sample text file to trigger the crash)
Comment 2 Jan Lieskovsky 2011-01-20 08:01:33 EST
Created pango tracking bugs for this issue

Affects: fedora-all [bug 671123]
Comment 4 Huzaifa S. Sidhpurwala 2011-01-21 01:03:10 EST
This has been assigned CVE-2011-0020
Comment 5 Josh Bressers 2011-01-21 13:42:03 EST
This flaw does not affect RHEL4. The code in question does not exist in that version of Pango.

This flaw should affect evolution28-pango on RHEL4 and pango on RHEL 5 and RHEL 6. The public reproducer does not work, as a different codepath is exercised than on systems that crash, but the faulty arithmetic is there. There are many possible codepaths that can exercise this bug.
Comment 6 Josh Bressers 2011-01-21 13:43:17 EST
I've looked over how pango is used in Red Hat Enterprise Linux. I do not believe this poses a significant risk. Nothing that uses pango for layout will accept arbitrary font input. Since this bug needs a malformed font, user interaction will be needed to exploit this flaw.
Comment 9 Josh Bressers 2011-01-21 13:53:34 EST
Created pango tracking bugs for this issue

Affects: fedora-all [bug 671123]
Comment 10 Behdad Esfahbod 2011-01-21 14:36:58 EST
Also note that no one uses the PangoFT2 fontmap, except for maybe the GIMP and possibly old Inkscape.  It's NOT used in GTK+ rendering or Firefox, etc.
Comment 11 Josh Bressers 2011-01-21 16:34:23 EST
The upstream bug has a patch. I'm testing it now.
Comment 12 errata-xmlrpc 2011-01-27 13:36:41 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.6.Z
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 6

Via RHSA-2011:0180 https://rhn.redhat.com/errata/RHSA-2011-0180.html

Note You need to log in before you can comment on or make changes to this bug.