Debian Bug report logs - #574021
CVE-2010-0421: libpangoft2 segfaults on forged font files

version graph

Package: pango1.0; Maintainer for pango1.0 is Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>;

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Mon, 15 Mar 2010 18:52:12 UTC

Severity: grave

Tags: security

Fixed in versions 1.26.2-2, pango1.0/1.20.5-5+lenny1

Done: Giuseppe Iuculano <iuculano@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sebastien Bacher <seb128@debian.org>:
Bug#574021; Package pango1.0. (Mon, 15 Mar 2010 18:52:15 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sebastien Bacher <seb128@debian.org>. (Mon, 15 Mar 2010 18:52:15 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2010-0421: libpangoft2 segfaults on forged font files
Date: Mon, 15 Mar 2010 19:49:30 +0100
Package: pango1.0
Severity: grave
Tags: security

The following security issue in Pango was reported by Red Hat:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0421 

Cheers,
        Moritz

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-3-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash




Information forwarded to debian-bugs-dist@lists.debian.org, Sebastien Bacher <seb128@debian.org>:
Bug#574021; Package pango1.0. (Sat, 20 Mar 2010 13:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Extra info received and forwarded to list. Copy sent to Sebastien Bacher <seb128@debian.org>. (Sat, 20 Mar 2010 13:36:03 GMT) Full text and rfc822 format available.

Message #10 received at 574021@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: 574021@bugs.debian.org
Subject: Patch
Date: Sat, 20 Mar 2010 14:26:33 +0100
[Message part 1 (text/plain, inline)]
Hi,

attacked is the debdiff for the lenny version.

Cheers,
Giuseppe.
[pango1.0_1.20.5-5+lenny1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]

Reply sent to Giuseppe Iuculano <iuculano@debian.org>:
You have taken responsibility. (Mon, 22 Mar 2010 07:54:35 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Mon, 22 Mar 2010 07:54:35 GMT) Full text and rfc822 format available.

Message #15 received at 574021-close@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <iuculano@debian.org>
To: 574021-close@bugs.debian.org
Subject: Bug#574021: fixed in pango1.0 1.20.5-5+lenny1
Date: Mon, 22 Mar 2010 07:52:42 +0000
Source: pango1.0
Source-Version: 1.20.5-5+lenny1

We believe that the bug you reported is fixed in the latest version of
pango1.0, which is due to be installed in the Debian FTP archive:

libpango1.0-0-dbg_1.20.5-5+lenny1_i386.deb
  to main/p/pango1.0/libpango1.0-0-dbg_1.20.5-5+lenny1_i386.deb
libpango1.0-0_1.20.5-5+lenny1_i386.deb
  to main/p/pango1.0/libpango1.0-0_1.20.5-5+lenny1_i386.deb
libpango1.0-common_1.20.5-5+lenny1_all.deb
  to main/p/pango1.0/libpango1.0-common_1.20.5-5+lenny1_all.deb
libpango1.0-dev_1.20.5-5+lenny1_i386.deb
  to main/p/pango1.0/libpango1.0-dev_1.20.5-5+lenny1_i386.deb
libpango1.0-doc_1.20.5-5+lenny1_all.deb
  to main/p/pango1.0/libpango1.0-doc_1.20.5-5+lenny1_all.deb
libpango1.0-udeb_1.20.5-5+lenny1_i386.udeb
  to main/p/pango1.0/libpango1.0-udeb_1.20.5-5+lenny1_i386.udeb
pango1.0_1.20.5-5+lenny1.diff.gz
  to main/p/pango1.0/pango1.0_1.20.5-5+lenny1.diff.gz
pango1.0_1.20.5-5+lenny1.dsc
  to main/p/pango1.0/pango1.0_1.20.5-5+lenny1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 574021@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated pango1.0 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 18 Mar 2010 15:18:06 +0100
Source: pango1.0
Binary: libpango1.0-0 libpango1.0-udeb libpango1.0-common libpango1.0-dev libpango1.0-0-dbg libpango1.0-doc
Architecture: source all i386
Version: 1.20.5-5+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Sebastien Bacher <seb128@debian.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description: 
 libpango1.0-0 - Layout and rendering of internationalized text
 libpango1.0-0-dbg - The Pango library and debugging symbols
 libpango1.0-common - Modules and configuration files for the Pango
 libpango1.0-dev - Development files for the Pango
 libpango1.0-doc - Documentation files for the Pango
 libpango1.0-udeb - Layout and rendering of internationalized text - minimal runtime (udeb)
Closes: 574021
Changes: 
 pango1.0 (1.20.5-5+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2010-0421: improper input sanitization, leading to array indexing
     error, in the way Pango font rendering library synthesized Glyph Definition
     Table (GDEF) from the font's character map and the Unicode property
     database. (Closes: #574021)
Checksums-Sha1: 
 f8a6afef60f827092d68896d44f14cb096d0d5b5 1647 pango1.0_1.20.5-5+lenny1.dsc
 d23301ba3d33741033574edd39f28927e2a625d6 30609 pango1.0_1.20.5-5+lenny1.diff.gz
 8007f043bd539f76ea4633f5c4eb58fb1b2b12fa 64556 libpango1.0-common_1.20.5-5+lenny1_all.deb
 48bd0fc34f5713915f8470c3829363d2fcf86bb7 286750 libpango1.0-doc_1.20.5-5+lenny1_all.deb
 7d17d86a8fc2e587f593eadf5ae2041d2c29ba4b 285456 libpango1.0-0_1.20.5-5+lenny1_i386.deb
 8163d53e554316e426c4712d85c8a2a3ff3296e7 213822 libpango1.0-udeb_1.20.5-5+lenny1_i386.udeb
 eff7dbb2afbb55c5dbb7c4d0f472c817934891c3 350456 libpango1.0-dev_1.20.5-5+lenny1_i386.deb
 fe451e414045446a4ea231525c7470a455fec4ef 719590 libpango1.0-0-dbg_1.20.5-5+lenny1_i386.deb
Checksums-Sha256: 
 d725cc05413f08c7124aaf471cde001cfa82eb5a13bfecaf5883426c8ed2e968 1647 pango1.0_1.20.5-5+lenny1.dsc
 1e26291e1cae6feae4a22627aa4e7fed2e51c1320e6fc4adaa1b6ebac1db4f64 30609 pango1.0_1.20.5-5+lenny1.diff.gz
 950a7d63934b76928b96d9c64b48582143dd92de36b3ab4c8e37909100f82e85 64556 libpango1.0-common_1.20.5-5+lenny1_all.deb
 e76364ab6ba35e7d47efa605cd9aa31e757bc05cfa78980b4ac3e108b769095d 286750 libpango1.0-doc_1.20.5-5+lenny1_all.deb
 4cf25cf7ca8882b041860326bfc7d25c40e798aabc0f5d70aa33ff20fbf33c35 285456 libpango1.0-0_1.20.5-5+lenny1_i386.deb
 b36f3a187500ef892c9da228b241b9dda783c089f36a3486674b81cfe2863597 213822 libpango1.0-udeb_1.20.5-5+lenny1_i386.udeb
 c06fbebcf385be38f152826369af947301ba9349833bd478d2f1f66b21c34fc0 350456 libpango1.0-dev_1.20.5-5+lenny1_i386.deb
 9c73e590a8100e3121aa0c0921884cdd1a57a3fbc282e5d3d26b4f1f0d2108d0 719590 libpango1.0-0-dbg_1.20.5-5+lenny1_i386.deb
Files: 
 65108152472b632d5214ba3eed1191f9 1647 libs optional pango1.0_1.20.5-5+lenny1.dsc
 59b83220ce8e5663d1576c9c62cda04f 30609 libs optional pango1.0_1.20.5-5+lenny1.diff.gz
 b50adb928602040044cc0469b210dc16 64556 misc optional libpango1.0-common_1.20.5-5+lenny1_all.deb
 df6f2e6739297305f301a9b21519d32c 286750 doc optional libpango1.0-doc_1.20.5-5+lenny1_all.deb
 9347047a1ea7fda4d856670254c3c31c 285456 libs optional libpango1.0-0_1.20.5-5+lenny1_i386.deb
 0a8a83f93880866b00af792b415ac977 213822 debian-installer optional libpango1.0-udeb_1.20.5-5+lenny1_i386.udeb
 a0dd849fc1ff64d445b04e8f2e936872 350456 libdevel optional libpango1.0-dev_1.20.5-5+lenny1_i386.deb
 8991fef0ff79ca19bac8094d1bc2b3c8 719590 libdevel extra libpango1.0-0-dbg_1.20.5-5+lenny1_i386.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkuiO3UACgkQNxpp46476apHrQCgmehgnvGG4PzYs91Qro5BdJZj
3DAAnRuzYiQs1ThBxTItZ+e6T7RaLytC
=h/VC
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Sebastien Bacher <seb128@debian.org>:
Bug#574021; Package pango1.0. (Sat, 27 Mar 2010 17:54:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Sebastien Bacher <seb128@debian.org>. (Sat, 27 Mar 2010 17:54:04 GMT) Full text and rfc822 format available.

Message #20 received at 574021@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: control@bugs.debian.org, 574021@bugs.debian.org
Subject: unstable not affected
Date: Sat, 27 Mar 2010 14:53:31 -0400
fixed 574021 1.26.2-1
thanks

i've checked the pango source code in unstable, and the vulnerable code
is not present.

mike




Bug Marked as fixed in versions 1.26.2-1. Request was from Michael Gilbert <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Sat, 27 Mar 2010 17:54:08 GMT) Full text and rfc822 format available.

Bug No longer marked as fixed in versions 1.26.2-1. Request was from Michael Gilbert <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Sat, 27 Mar 2010 18:12:06 GMT) Full text and rfc822 format available.

Bug Marked as fixed in versions 1.26.2-2. Request was from Michael Gilbert <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Sat, 27 Mar 2010 18:12:07 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 24 Jul 2010 07:33:36 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 13:28:00 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.