Vigil@nce: Pango, integer overflow
May 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
When Pango is used on a long text string, an integer overflow
occurs and leads to a denial of service or to code execution.
Severity: 2/4
Consequences: user access/rights, denial of service of client
Provenance: document
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 11/05/2009
IMPACTED PRODUCTS
– Debian Linux
– Red Hat Enterprise Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The Pango library is used to layout and to display text. It is for
example called by Firefox and Evolution.
The pango_glyph_string_set_size() function of the glyphstring.c
file is used to resize a string. In order to do so, it reallocates
a memory area with:
realloc(mem, string->space * sizeof (PangoGlyphInfo));
However, this multiplication can overflow, and thus the allocated
size becomes shorter than the string to store. A memory corruption
then occurs.
An attacker can therefore force a software linked to Pango to use
a long string in order to generate a denial of service or to
execute code.
CHARACTERISTICS
Identifiers: CVE-2009-1194, DSA-1798-1, oCERT-2009-001,
RHSA-2009:0476-01, VIGILANCE-VUL-8701
http://vigilance.fr/vulnerability/Pango-integer-overflow-8701