Debian Bug report logs - #527474
pango1.0: integer overflow in heap allocation size calculations

version graph

Package: pango1.0; Maintainer for pango1.0 is Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>;

Reported by: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>

Date: Thu, 7 May 2009 19:54:01 UTC

Severity: grave

Tags: security

Fixed in version 1.24.0-2

Done: Steffen Joeris <steffen.joeris@skolelinux.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org:
Bug#527474; Package pango. (Thu, 07 May 2009 19:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to unknown-package@qa.debian.org. (Thu, 07 May 2009 19:54:03 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Subject: pango1.0: integer overflow in heap allocation size calculations
Date: Thu, 7 May 2009 15:51:48 -0400
package: pango
severity: grave
tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for pango1.0.

CVE-2009-1194[0]:
|Pango is a library for laying out and rendering text, with an emphasis
|on internationalization.  Pango suffers from a multiplicative integer
|overflow which may lead to a potentially exploitable, heap overflow
|depending on the calling conditions.  For example, this vulnerability is
|remotely reachable in Firefox by creating an overly large
|document.location value but only results in a process-terminating,
|allocation error (denial of service).
|
|The affected function is pango_glyph_string_set_size. An overflow check
|when doubling the size neglects the overflow possible on the subsequent
|allocation:
|
|  string->glyphs = g_realloc (string->glyphs, string->space *
|                              sizeof (PangoGlyphInfo));
|
|Note that other font rendering subsystems suffer from similar issues and
|should be cross-checked by maintainers.

Please coordinate with the security team (team@security.debian.org)
to prepare updates for the stable releases.

See also see USN-773-1 [1].

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1194
    http://security-tracker.debian.net/tracker/CVE-2009-1194
[1] http://www.ubuntu.com/usn/USN-773-1




Bug reassigned from package `pango' to `pango1.0'. Request was from "Michael S. Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Thu, 07 May 2009 20:06:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Sebastien Bacher <seb128@debian.org>:
Bug#527474; Package pango1.0. (Fri, 08 May 2009 12:24:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marc Deslauriers <marc.deslauriers@canonical.com>:
Extra info received and forwarded to list. Copy sent to Sebastien Bacher <seb128@debian.org>. (Fri, 08 May 2009 12:24:04 GMT) Full text and rfc822 format available.

Message #12 received at 527474@bugs.debian.org (full text, mbox):

From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: 527474@bugs.debian.org
Subject: Re: pango1.0: integer overflow in heap allocation size calculations
Date: Fri, 08 May 2009 08:21:26 -0400
Here is the upstream commit:

http://git.gnome.org/cgit/pango/commit/?id=4de30e5500eaeb49f4bf0b7a07f718e149a2ed5e







Reply sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
You have taken responsibility. (Sun, 10 May 2009 15:27:03 GMT) Full text and rfc822 format available.

Notification sent to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Sun, 10 May 2009 15:27:06 GMT) Full text and rfc822 format available.

Message #17 received at 527474-done@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: 527474-done@bugs.debian.org
Subject: pango issue fixed in sid
Date: Mon, 11 May 2009 01:25:02 +1000
[Message part 1 (text/plain, inline)]
Version: 1.24.0-2

The bug has been fixed upstream and the fix made it into sid/squeeze.

Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 08 Jun 2009 07:39:47 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 05:16:33 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.