http://cgit.freedesktop.org/harfbuzz/commit/?id=a6a79df5fe2ed2cd307e7a991346faee164e70d9

FEDORA-2011-3194

SUSE-SR:2011:005

43559

43572

43578

43800

1025145

DSA-2178

MDVSA-2011:040

RHSA-2011:0309

46632

USN-1082-1

ADV-2011-0543

ADV-2011-0555

ADV-2011-0558

ADV-2011-0584

ADV-2011-0683

https://bugzilla.mozilla.org/show_bug.cgi?id=606997

https://bugzilla.novell.com/show_bug.cgi?id=672502

https://bugzilla.redhat.com/show_bug.cgi?id=678563

https://build.opensuse.org/request/show/63070

pango-hbbufferensure-bo(65770)

Specially crafted font files could cause a heap corruption in applications linked against pango (CVE-2011-0064, CVE-2011-0020).

The remote host is affected by the vulnerability described in GLSA-201405-13 (Pango: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Pango. Please review       the CVE identifiers referenced below for details.
  Impact :

    A context-dependent attacker could entice a user to load specially       crafted text using an application linked against Pango, possibly       resulting in execution of arbitrary code with the privileges of the       process or a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

From Red Hat Security Advisory 2011:0309 :

Updated pango packages that fix one security issue are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Pango is a library used for the layout and rendering of internationalized text.

It was discovered that Pango did not check for memory reallocation failures in the hb_buffer_ensure() function. An attacker able to trigger a reallocation failure by passing sufficiently large input to an application using Pango could use this flaw to crash the application or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2011-0064)

Red Hat would like to thank the Mozilla Security Team for reporting this issue.

All pango users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, you must restart your system or restart the X server for the update to take effect.

It was discovered that Pango did not check for memory reallocation failures in the hb_buffer_ensure() function. An attacker able to trigger a reallocation failure by passing sufficiently large input to an application using Pango could use this flaw to crash the application or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2011-0064)

After installing this update, you must restart your system or restart the X server for the update to take effect.

Specially crafted font files could cause a heap corruption in applications linked against pango. (CVE-2011-0064 / CVE-2011-0020)

It was discovered that pango did not check for memory reallocation failures in hb_buffer_ensure() function. This could trigger a NULL pointer dereference in hb_buffer_add_glyph(), where possibly untrusted input is used as an index used for accessing members of the incorrectly reallocated array, resulting in the use of NULL address as the base array address. This can result in application crash or, possibly, code execution.

It was demonstrated that it's possible to trigger this flaw in Firefox via a specially crafted web page.

Mozilla bug report (currently not public):
https://bugzilla.mozilla.org/show_bug.cgi?id=606997

Fix in the harfbuzz git:
http://cgit.freedesktop.org/harfbuzz/commit/?id=a6a79df5fe2e

Acknowledgements :

Red Hat would like to thank Mozilla Security Team for reporting this issue.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A vulnerability has been found and corrected in pango :

It was discovered that pango did not check for memory reallocation failures in hb_buffer_ensure() function. This could trigger a NULL pointer dereference in hb_buffer_add_glyph(), where possibly untrusted input is used as an index used for accessing members of the incorrectly reallocated array, resulting in the use of NULL address as the base array address. This can result in application crash or, possibly, code execution (CVE-2011-0064).

The updated packages have been patched to correct this issue.

Marc Schoenefeld discovered that Pango incorrectly handled certain Glyph Definition (GDEF) tables. If a user were tricked into displaying text with a specially crafted font, an attacker could cause Pango to crash, resulting in a denial of service. This issue only affected Ubuntu 8.04 LTS and 9.10. (CVE-2010-0421)

Dan Rosenberg discovered that Pango incorrectly handled certain FT_Bitmap objects. If a user were tricked into displaying text with a specially- crafted font, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program. The default compiler options for affected releases should reduce the vulnerability to a denial of service. (CVE-2011-0020)

It was discovered that Pango incorrectly handled certain memory reallocation failures. If a user were tricked into displaying text in a way that would cause a reallocation failure, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program. This issue only affected Ubuntu 9.10, 10.04 LTS and 10.10. (CVE-2011-0064).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that Pango did not check for memory allocation failures, causing a NULL pointer dereference with an adjustable offset. This can lead to application crashes and potentially arbitrary code execution.

The oldstable distribution (lenny) is not affected by this problem.

Updated pango packages that fix one security issue are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Pango is a library used for the layout and rendering of internationalized text.

It was discovered that Pango did not check for memory reallocation failures in the hb_buffer_ensure() function. An attacker able to trigger a reallocation failure by passing sufficiently large input to an application using Pango could use this flaw to crash the application or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2011-0064)

Red Hat would like to thank the Mozilla Security Team for reporting this issue.

All pango users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, you must restart your system or restart the X server for the update to take effect.

ID	Name	Product	Family	Severity
75599	openSUSE Security Update : libpango-1_0-0 (openSUSE-SU-2011:0221-1)	Nessus	SuSE Local Security Checks	high
74056	GLSA-201405-13 : Pango: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
68212	Oracle Linux 6 : pango (ELSA-2011-0309)	Nessus	Oracle Linux Local Security Checks	medium
60970	Scientific Linux Security Update : pango on SL6.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
53753	openSUSE Security Update : libpango-1_0-0 (openSUSE-SU-2011:0221-1)	Nessus	SuSE Local Security Checks	high
52960	SuSE 11.1 Security Update : pango (SAT Patch Number 4065)	Nessus	SuSE Local Security Checks	high
52696	Fedora 14 : pango-1.28.1-5.fc14 (2011-3194)	Nessus	Fedora Local Security Checks	medium
52541	Mandriva Linux Security Advisory : pango (MDVSA-2011:040)	Nessus	Mandriva Local Security Checks	medium
52529	Ubuntu 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : pango1.0 vulnerabilities (USN-1082-1)	Nessus	Ubuntu Local Security Checks	high
52512	Debian DSA-2178-1 : pango1.0 - NULL pointer dereference	Nessus	Debian Local Security Checks	medium
52493	RHEL 6 : pango (RHSA-2011:0309)	Nessus	Red Hat Local Security Checks	medium

CVE-2011-0064

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins

high

critical

medium

medium

high

high

medium

medium

high

medium

medium