ID CVE-2009-1194
Summary Integer overflow in the pango_glyph_string_set_size function in pango/glyphstring.c in Pango before 1.24 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long glyph string that triggers a heap-based buffer overflow, as demonstrated by a long document.location value in Firefox.
References
Vulnerable Configurations
  • cpe:2.3:a:pango:pango:1.2
    cpe:2.3:a:pango:pango:1.2
  • cpe:2.3:a:pango:pango:1.4
    cpe:2.3:a:pango:pango:1.4
  • cpe:2.3:a:pango:pango:1.6
    cpe:2.3:a:pango:pango:1.6
  • cpe:2.3:a:pango:pango:1.8
    cpe:2.3:a:pango:pango:1.8
  • cpe:2.3:a:pango:pango:1.10
    cpe:2.3:a:pango:pango:1.10
  • cpe:2.3:a:pango:pango:1.12
    cpe:2.3:a:pango:pango:1.12
  • cpe:2.3:a:pango:pango:1.14
    cpe:2.3:a:pango:pango:1.14
  • cpe:2.3:a:pango:pango:1.16
    cpe:2.3:a:pango:pango:1.16
  • cpe:2.3:a:pango:pango:1.18
    cpe:2.3:a:pango:pango:1.18
  • cpe:2.3:a:pango:pango:1.20
    cpe:2.3:a:pango:pango:1.20
  • cpe:2.3:a:pango:pango:1.22
    cpe:2.3:a:pango:pango:1.22
CVSS
Base: 6.8 (as of 11-05-2009 - 13:08)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201405-13.NASL
    description The remote host is affected by the vulnerability described in GLSA-201405-13 (Pango: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Pango. Please review the CVE identifiers referenced below for details. Impact : A context-dependent attacker could entice a user to load specially crafted text using an application linked against Pango, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-01-16
    modified 2015-04-13
    plugin id 74056
    published 2014-05-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74056
    title GLSA-201405-13 : Pango: Multiple vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_PANGO-6801.NASL
    description A long glyph string can trigger a heap-based buffer overflow in pango. (CVE-2009-1194)
    last seen 2018-09-02
    modified 2012-06-14
    plugin id 44593
    published 2010-02-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44593
    title SuSE 10 Security Update : pango (ZYPP Patch Number 6801)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_4B1722783F4611DEBECB001CC0377035.NASL
    description oCERT reports : Pango suffers from a multiplicative integer overflow which may lead to a potentially exploitable, heap overflow depending on the calling conditions. For example, this vulnerability is remotely reachable in Firefox by creating an overly large document.location value but only results in a process-terminating, allocation error (denial of service). The affected function is pango_glyph_string_set_size. An overflow check when doubling the size neglects the overflow possible on the subsequent allocation.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 38751
    published 2009-05-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38751
    title FreeBSD : pango -- integer overflow (4b172278-3f46-11de-becb-001cc0377035)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-0476.NASL
    description From Red Hat Security Advisory 2009:0476 : Updated pango and evolution28-pango packages that fix an integer overflow flaw are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. Pango is a library used for the layout and rendering of internationalized text. Will Drewry discovered an integer overflow flaw in Pango's pango_glyph_string_set_size() function. If an attacker is able to pass an arbitrarily long string to Pango, it may be possible to execute arbitrary code with the permissions of the application calling Pango. (CVE-2009-1194) pango and evolution28-pango users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, you must restart your system or restart the X server for the update to take effect. Note: Restarting the X server closes all open applications and logs you out of your session.
    last seen 2019-01-16
    modified 2018-07-18
    plugin id 67856
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67856
    title Oracle Linux 3 / 4 / 5 : pango (ELSA-2009-0476)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2009-0476.NASL
    description Updated pango and evolution28-pango packages that fix an integer overflow flaw are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. Pango is a library used for the layout and rendering of internationalized text. Will Drewry discovered an integer overflow flaw in Pango's pango_glyph_string_set_size() function. If an attacker is able to pass an arbitrarily long string to Pango, it may be possible to execute arbitrary code with the permissions of the application calling Pango. (CVE-2009-1194) pango and evolution28-pango users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, you must restart your system or restart the X server for the update to take effect. Note: Restarting the X server closes all open applications and logs you out of your session.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 38721
    published 2009-05-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38721
    title CentOS 3 / 4 / 5 : pango (CESA-2009:0476)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_PANGO-100127.NASL
    description A long glyph string can trigger a heap-based buffer overflow in pango. (CVE-2009-1194)
    last seen 2018-09-02
    modified 2013-10-25
    plugin id 44592
    published 2010-02-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44592
    title SuSE 11 Security Update : pango (SAT Patch Number 1880)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_PANGO-6800.NASL
    description A long glyph string can trigger a heap-based buffer overflow in pango. (CVE-2009-1194)
    last seen 2018-09-01
    modified 2012-06-14
    plugin id 49911
    published 2010-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=49911
    title SuSE 10 Security Update : pango (ZYPP Patch Number 6800)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20090508_PANGO_ON_SL3_X.NASL
    description Will Drewry discovered an integer overflow flaw in Pango's pango_glyph_string_set_size() function. If an attacker is able to pass an arbitrarily long string to Pango, it may be possible to execute arbitrary code with the permissions of the application calling Pango. (CVE-2009-1194) After installing this update, you must restart your system or restart the X server for the update to take effect. Note: Restarting the X server closes all open applications and logs you out of your session.
    last seen 2019-01-16
    modified 2019-01-02
    plugin id 60582
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60582
    title Scientific Linux Security Update : pango on SL3.x, SL4.x, SL5.x i386/x86_64
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2009-158.NASL
    description Integer overflow in the pango_glyph_string_set_size function in pango/glyphstring.c in Pango before 1.24 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long glyph string that triggers a heap-based buffer overflow. This update corrects the issue. Update : Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers
    last seen 2019-01-16
    modified 2018-07-19
    plugin id 40359
    published 2009-07-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40359
    title Mandriva Linux Security Advisory : pango (MDVSA-2009:158-3)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-773-1.NASL
    description Will Drewry discovered that Pango incorrectly handled rendering text with long glyphstrings. If a user were tricked into displaying specially crafted data with applications linked against Pango, such as Firefox, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-11-28
    plugin id 38716
    published 2009-05-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38716
    title Ubuntu 6.06 LTS / 8.04 LTS / 8.10 : pango1.0 vulnerability (USN-773-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_MOZILLAFIREFOX-6379.NASL
    description The MozillaFirefox 3.0.12 release fixes various bugs and some critical security issues. MFSA 2009-34 / CVE-2009-2462 / CVE-2009-2463 / CVE-2009-2464 / CVE-2009-2465 / CVE-2009-2466: Mozilla developers and community members identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. MFSA 2009-35 / CVE-2009-2467: Security researcher Attila Suszter reported that when a page contains a Flash object which presents a slow script dialog, and the page is navigated while the dialog is still visible to the user, the Flash plugin is unloaded resulting in a crash due to a call to the deleted object. This crash could potentially be used by an attacker to run arbitrary code on a victim's computer. MFSA 2009-36 / CVE-2009-1194: oCERT security researcher Will Drewry reported a series of heap and integer overflow vulnerabilities which independently affected multiple font glyph rendering libraries. On Linux platforms libpango was susceptible to the vulnerabilities while on OS X CoreGraphics was similarly vulnerable. An attacker could trigger these overflows by constructing a very large text run for the browser to display. Such an overflow can result in a crash which the attacker could potentially use to run arbitrary code on a victim's computer. The open-source nature of Linux meant that Mozilla was able to work with the libpango maintainers to implement the correct fix in version 1.24 of that system library which was distributed with OS security updates. On Mac OS X Firefox works around the CoreGraphics flaw by limiting the length of text runs passed to the system. MFSA 2009-37 / CVE-2009-2469: Security researcher PenPal reported a crash involving a SVG element on which a watch function and __defineSetter__ function have been set for a particular property. The crash showed evidence of memory corruption and could potentially be used by an attacker to run arbitrary code on a victim's computer. MFSA 2009-39 / CVE-2009-2471: Mozilla developer Blake Kaplan reported that setTimeout, when called with certain object parameters which should be protected with a XPCNativeWrapper, will fail to keep the object wrapped when compiling the new function to be executed. If chrome privileged code were to call setTimeout using this as an argument, the this object will lose its wrapper and could be unsafely accessed by chrome code. An attacker could use such vulnerable code to run arbitrary JavaScript with chrome privileges. MFSA 2009-40 / CVE-2009-2472: Mozilla security researcher moz_bug_r_a4 reported a series of vulnerabilities in which objects that normally receive a XPCCrossOriginWrapper are constructed without the wrapper. This can lead to cases where JavaScript from one website may unsafely access properties of such an object which had been set by a different website. A malicious website could use this vulnerability to launch a XSS attack and run arbitrary JavaScript within the context of another site.
    last seen 2019-01-16
    modified 2016-12-22
    plugin id 41983
    published 2009-10-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41983
    title openSUSE 10 Security Update : MozillaFirefox (MozillaFirefox-6379)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-1162.NASL
    description Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2009-2462, CVE-2009-2463, CVE-2009-2464, CVE-2009-2465, CVE-2009-2466, CVE-2009-2467, CVE-2009-2469, CVE-2009-2471) Several flaws were found in the way Firefox handles malformed JavaScript code. A website containing malicious content could launch a cross-site scripting (XSS) attack or execute arbitrary JavaScript with the permissions of another website. (CVE-2009-2472) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.12. You can find a link to the Mozilla advisories in the References section of this errata. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.12, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.
    last seen 2019-01-16
    modified 2018-12-20
    plugin id 40340
    published 2009-07-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40340
    title RHEL 4 / 5 : firefox (RHSA-2009:1162)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_0_PANGO-100119.NASL
    description Long glyph string could trigger a heap-based buffer overflow in pango (CVE-2009-1194).
    last seen 2019-01-16
    modified 2014-06-13
    plugin id 44609
    published 2010-02-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44609
    title openSUSE Security Update : pango (pango-1829)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_0_MOZILLAFIREFOX-090724.NASL
    description The MozillaFirefox 3.0.12 release fixes various bugs and some critical security issues. MFSA 2009-34 / CVE-2009-2462 / CVE-2009-2463 / CVE-2009-2464 / CVE-2009-2465 / CVE-2009-2466: Mozilla developers and community members identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. MFSA 2009-35 / CVE-2009-2467: Security researcher Attila Suszter reported that when a page contains a Flash object which presents a slow script dialog, and the page is navigated while the dialog is still visible to the user, the Flash plugin is unloaded resulting in a crash due to a call to the deleted object. This crash could potentially be used by an attacker to run arbitrary code on a victim's computer. MFSA 2009-36 / CVE-2009-1194: oCERT security researcher Will Drewry reported a series of heap and integer overflow vulnerabilities which independently affected multiple font glyph rendering libraries. On Linux platforms libpango was susceptible to the vulnerabilities while on OS X CoreGraphics was similarly vulnerable. An attacker could trigger these overflows by constructing a very large text run for the browser to display. Such an overflow can result in a crash which the attacker could potentially use to run arbitrary code on a victim's computer. The open-source nature of Linux meant that Mozilla was able to work with the libpango maintainers to implement the correct fix in version 1.24 of that system library which was distributed with OS security updates. On Mac OS X Firefox works around the CoreGraphics flaw by limiting the length of text runs passed to the system. MFSA 2009-37 / CVE-2009-2469: Security researcher PenPal reported a crash involving a SVG element on which a watch function and __defineSetter__ function have been set for a particular property. The crash showed evidence of memory corruption and could potentially be used by an attacker to run arbitrary code on a victim's computer. MFSA 2009-39 / CVE-2009-2471: Mozilla developer Blake Kaplan reported that setTimeout, when called with certain object parameters which should be protected with a XPCNativeWrapper, will fail to keep the object wrapped when compiling the new function to be executed. If chrome privileged code were to call setTimeout using this as an argument, the this object will lose its wrapper and could be unsafely accessed by chrome code. An attacker could use such vulnerable code to run arbitrary JavaScript with chrome privileges. MFSA 2009-40 / CVE-2009-2472: Mozilla security researcher moz_bug_r_a4 reported a series of vulnerabilities in which objects that normally receive a XPCCrossOriginWrapper are constructed without the wrapper. This can lead to cases where JavaScript from one website may unsafely access properties of such an object which had been set by a different website. A malicious website could use this vulnerability to launch a XSS attack and run arbitrary JavaScript within the context of another site.
    last seen 2019-01-16
    modified 2016-12-21
    plugin id 40403
    published 2009-07-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40403
    title openSUSE Security Update : MozillaFirefox (MozillaFirefox-1135)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2009-1162.NASL
    description Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2009-2462, CVE-2009-2463, CVE-2009-2464, CVE-2009-2465, CVE-2009-2466, CVE-2009-2467, CVE-2009-2469, CVE-2009-2471) Several flaws were found in the way Firefox handles malformed JavaScript code. A website containing malicious content could launch a cross-site scripting (XSS) attack or execute arbitrary JavaScript with the permissions of another website. (CVE-2009-2472) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.12. You can find a link to the Mozilla advisories in the References section of this errata. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.12, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 43769
    published 2010-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43769
    title CentOS 5 : firefox (CESA-2009:1162)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-0476.NASL
    description Updated pango and evolution28-pango packages that fix an integer overflow flaw are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. Pango is a library used for the layout and rendering of internationalized text. Will Drewry discovered an integer overflow flaw in Pango's pango_glyph_string_set_size() function. If an attacker is able to pass an arbitrarily long string to Pango, it may be possible to execute arbitrary code with the permissions of the application calling Pango. (CVE-2009-1194) pango and evolution28-pango users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, you must restart your system or restart the X server for the update to take effect. Note: Restarting the X server closes all open applications and logs you out of your session.
    last seen 2019-01-16
    modified 2018-11-27
    plugin id 38732
    published 2009-05-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38732
    title RHEL 3 / 4 / 5 : pango (RHSA-2009:0476)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_1_MOZILLAFIREFOX-090724.NASL
    description The MozillaFirefox 3.0.12 release fixes various bugs and some critical security issues. MFSA 2009-34 / CVE-2009-2462 / CVE-2009-2463 / CVE-2009-2464 / CVE-2009-2465 / CVE-2009-2466: Mozilla developers and community members identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. MFSA 2009-35 / CVE-2009-2467: Security researcher Attila Suszter reported that when a page contains a Flash object which presents a slow script dialog, and the page is navigated while the dialog is still visible to the user, the Flash plugin is unloaded resulting in a crash due to a call to the deleted object. This crash could potentially be used by an attacker to run arbitrary code on a victim's computer. MFSA 2009-36 / CVE-2009-1194: oCERT security researcher Will Drewry reported a series of heap and integer overflow vulnerabilities which independently affected multiple font glyph rendering libraries. On Linux platforms libpango was susceptible to the vulnerabilities while on OS X CoreGraphics was similarly vulnerable. An attacker could trigger these overflows by constructing a very large text run for the browser to display. Such an overflow can result in a crash which the attacker could potentially use to run arbitrary code on a victim's computer. The open-source nature of Linux meant that Mozilla was able to work with the libpango maintainers to implement the correct fix in version 1.24 of that system library which was distributed with OS security updates. On Mac OS X Firefox works around the CoreGraphics flaw by limiting the length of text runs passed to the system. MFSA 2009-37 / CVE-2009-2469: Security researcher PenPal reported a crash involving a SVG element on which a watch function and __defineSetter__ function have been set for a particular property. The crash showed evidence of memory corruption and could potentially be used by an attacker to run arbitrary code on a victim's computer. MFSA 2009-39 / CVE-2009-2471: Mozilla developer Blake Kaplan reported that setTimeout, when called with certain object parameters which should be protected with a XPCNativeWrapper, will fail to keep the object wrapped when compiling the new function to be executed. If chrome privileged code were to call setTimeout using this as an argument, the this object will lose its wrapper and could be unsafely accessed by chrome code. An attacker could use such vulnerable code to run arbitrary JavaScript with chrome privileges. MFSA 2009-40 / CVE-2009-2472: Mozilla security researcher moz_bug_r_a4 reported a series of vulnerabilities in which objects that normally receive a XPCCrossOriginWrapper are constructed without the wrapper. This can lead to cases where JavaScript from one website may unsafely access properties of such an object which had been set by a different website. A malicious website could use this vulnerability to launch a XSS attack and run arbitrary JavaScript within the context of another site.
    last seen 2019-01-16
    modified 2016-12-21
    plugin id 40404
    published 2009-07-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40404
    title openSUSE Security Update : MozillaFirefox (MozillaFirefox-1135)
  • NASL family SuSE Local Security Checks
    NASL id SUSE9_12575.NASL
    description A long glyph string can trigger a heap-based buffer overflow in pango. (CVE-2009-1194)
    last seen 2018-09-02
    modified 2012-06-14
    plugin id 44591
    published 2010-02-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44591
    title SuSE9 Security Update : pango (YOU Patch Number 12575)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_1_PANGO-100119.NASL
    description Long glyph string could trigger a heap-based buffer overflow in pango (CVE-2009-1194).
    last seen 2019-01-16
    modified 2014-06-13
    plugin id 44614
    published 2010-02-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44614
    title openSUSE Security Update : pango (pango-1829)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_MOZILLAFIREFOX-090724.NASL
    description The Mozilla Firefox 3.0.12 release fixes various bugs and some critical security issues. - Mozilla developers and community members identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. (MFSA 2009-34 / CVE-2009-2462 / CVE-2009-2463 / CVE-2009-2464 / CVE-2009-2465 / CVE-2009-2466) - Security researcher Attila Suszter reported that when a page contains a Flash object which presents a slow script dialog, and the page is navigated while the dialog is still visible to the user, the Flash plugin is unloaded resulting in a crash due to a call to the deleted object. This crash could potentially be used by an attacker to run arbitrary code on a victim's computer. (MFSA 2009-35 / CVE-2009-2467) - oCERT security researcher Will Drewry reported a series of heap and integer overflow vulnerabilities which independently affected multiple font glyph rendering libraries. On Linux platforms libpango was susceptible to the vulnerabilities while on OS X CoreGraphics was similarly vulnerable. An attacker could trigger these overflows by constructing a very large text run for the browser to display. Such an overflow can result in a crash which the attacker could potentially use to run arbitrary code on a victim's computer. The open source nature of Linux meant that Mozilla was able to work with the libpango maintainers to implement the correct fix in version 1.24 of that system library which was distributed with OS security updates. On Mac OS X Firefox works around the CoreGraphics flaw by limiting the length of text runs passed to the system. (MFSA 2009-36 / CVE-2009-1194) - Security researcher PenPal reported a crash involving a SVG element on which a watch function and __defineSetter__ function have been set for a particular property. The crash showed evidence of memory corruption and could potentially be used by an attacker to run arbitrary code on a victim's computer. (MFSA 2009-37 / CVE-2009-2469) - Mozilla developer Blake Kaplan reported that setTimeout, when called with certain object parameters which should be protected with a XPCNativeWrapper, will fail to keep the object wrapped when compiling the new function to be executed. If chrome privileged code were to call setTimeout using this as an argument, the this object will lose its wrapper and could be unsafely accessed by chrome code. An attacker could use such vulnerable code to run arbitrary JavaScript with chrome privileges. (MFSA 2009-39 / CVE-2009-2471) - Mozilla security researcher moz_bug_r_a4 reported a series of vulnerabilities in which objects that normally receive a XPCCrossOriginWrapper are constructed without the wrapper. This can lead to cases where JavaScript from one website may unsafely access properties of such an object which had been set by a different website. A malicious website could use this vulnerability to launch a XSS attack and run arbitrary JavaScript within the context of another site. (MFSA 2009-40 / CVE-2009-2472)
    last seen 2019-01-16
    modified 2016-12-21
    plugin id 41357
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41357
    title SuSE 11 Security Update : MozillaFirefox (SAT Patch Number 1134)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_FIREFOX3-PANGO-7097.NASL
    description Long glyph string could trigger a heap-based buffer overflow in pango. (CVE-2009-1194)
    last seen 2018-09-02
    modified 2012-06-14
    plugin id 50080
    published 2010-10-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50080
    title SuSE 10 Security Update : firefox3-pango (ZYPP Patch Number 7097)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_PANGO-090428.NASL
    description This update of pango fixes a segfault in libpango that can be triggered by visiting websites. (CVE-2009-1194)
    last seen 2019-01-16
    modified 2014-04-03
    plugin id 41447
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41447
    title SuSE 11 Security Update : pango (SAT Patch Number 825)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-1162.NASL
    description From Red Hat Security Advisory 2009:1162 : Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2009-2462, CVE-2009-2463, CVE-2009-2464, CVE-2009-2465, CVE-2009-2466, CVE-2009-2467, CVE-2009-2469, CVE-2009-2471) Several flaws were found in the way Firefox handles malformed JavaScript code. A website containing malicious content could launch a cross-site scripting (XSS) attack or execute arbitrary JavaScript with the permissions of another website. (CVE-2009-2472) For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.12. You can find a link to the Mozilla advisories in the References section of this errata. All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.12, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.
    last seen 2019-01-16
    modified 2018-08-13
    plugin id 67893
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67893
    title Oracle Linux 4 / 5 : firefox (ELSA-2009-1162)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_1_PANGO-090512.NASL
    description This update of pango fixes a segfault in libpango that can be triggered by visiting websites. (CVE-2009-1194)
    last seen 2019-01-16
    modified 2014-06-13
    plugin id 40294
    published 2009-07-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40294
    title openSUSE Security Update : pango (pango-824)
  • NASL family Windows
    NASL id MOZILLA_FIREFOX_3012.NASL
    description The installed version of Firefox is earlier than 3.0.12. Such versions are potentially affected by the following security issues : - Multiple memory corruption vulnerabilities could potentially be exploited to execute arbitrary code. (MFSA 2009-34) - It may be possible to crash the browser or potentially execute arbitrary code by using a flash object that presents a slow script dialog. (MFSA 2009-35) - Glyph rendering libraries are affected by multiple heap/ integer overflows. (MFSA 2009-36) - A vulnerability involving SVG element could be exploited to crash the browser or execute arbitrary code on the remote system. (MFSA 2009-37) - A SOCKS5 proxy that replies with a hostname containing more than 15 characters can corrupt the subsequent data stream. This can lead to a denial of service, though there is reportedly no memory corruption. (MFSA 2009-38) - A vulnerability in 'setTimeout' could allow unsafe access to the 'this' object from chrome code. An attacker could exploit this flaw to run arbitrary JavaScript with chrome privileges. (MFSA 2009-39) - It may be possible for JavaScript from one website to bypass cross origin wrapper, and unsafely access properties of an object from another website. (MFSA 2009-40)
    last seen 2019-01-16
    modified 2018-07-16
    plugin id 40351
    published 2009-07-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40351
    title Firefox < 3.0.12 Multiple Vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1798.NASL
    description Will Drewry discovered that pango, a system for layout and rendering of internationalized text, is prone to an integer overflow via long glyphstrings. This could cause the execution of arbitrary code when displaying crafted data through an application using the pango library.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 38725
    published 2009-05-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38725
    title Debian DSA-1798-1 : pango1.0 - integer overflow
oval via4
accepted 2013-04-29T04:02:07.406-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description Integer overflow in the pango_glyph_string_set_size function in pango/glyphstring.c in Pango before 1.24 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long glyph string that triggers a heap-based buffer overflow, as demonstrated by a long document.location value in Firefox.
family unix
id oval:org.mitre.oval:def:10137
status accepted
submitted 2010-07-09T03:56:16-04:00
title Integer overflow in the pango_glyph_string_set_size function in pango/glyphstring.c in Pango before 1.24 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long glyph string that triggers a heap-based buffer overflow, as demonstrated by a long document.location value in Firefox.
version 24
redhat via4
advisories
bugzilla
id 496887
title CVE-2009-1194 pango: pango_glyph_string_set_size integer overflow
oval
OR
  • AND
    • comment Red Hat Enterprise Linux 3 is installed
      oval oval:com.redhat.rhsa:tst:20060015001
    • OR
      • AND
        • comment pango is earlier than 0:1.2.5-8
          oval oval:com.redhat.rhsa:tst:20090476002
        • comment pango is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20090476003
      • AND
        • comment pango-devel is earlier than 0:1.2.5-8
          oval oval:com.redhat.rhsa:tst:20090476004
        • comment pango-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20090476005
  • AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhsa:tst:20060016001
    • OR
      • AND
        • comment pango is earlier than 0:1.6.0-14.4_7
          oval oval:com.redhat.rhsa:tst:20090476007
        • comment pango is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20090476003
      • AND
        • comment pango-devel is earlier than 0:1.6.0-14.4_7
          oval oval:com.redhat.rhsa:tst:20090476008
        • comment pango-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20090476005
      • AND
        • comment evolution28-pango is earlier than 0:1.14.9-11.el4_7
          oval oval:com.redhat.rhsa:tst:20090476009
        • comment evolution28-pango is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20090476010
      • AND
        • comment evolution28-pango-devel is earlier than 0:1.14.9-11.el4_7
          oval oval:com.redhat.rhsa:tst:20090476011
        • comment evolution28-pango-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20090476012
  • AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhsa:tst:20070055001
    • OR
      • AND
        • comment pango is earlier than 0:1.14.9-5.el5_3
          oval oval:com.redhat.rhsa:tst:20090476014
        • comment pango is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20090476015
      • AND
        • comment pango-devel is earlier than 0:1.14.9-5.el5_3
          oval oval:com.redhat.rhsa:tst:20090476016
        • comment pango-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20090476017
rhsa
id RHSA-2009:0476
released 2009-05-08
severity Important
title RHSA-2009:0476: pango security update (Important)
rpms
  • pango-0:1.2.5-8
  • pango-devel-0:1.2.5-8
  • pango-0:1.6.0-14.4_7
  • pango-devel-0:1.6.0-14.4_7
  • evolution28-pango-0:1.14.9-11.el4_7
  • evolution28-pango-devel-0:1.14.9-11.el4_7
  • pango-0:1.14.9-5.el5_3
  • pango-devel-0:1.14.9-5.el5_3
refmap via4
bid
  • 34870
  • 35758
bugtraq 20090507 [oCERT-2009-001] Pango integer overflow in heap allocation size calculations
confirm
debian DSA-1798
misc http://www.ocert.org/advisories/ocert-2009-001.html
mlist [oss-security] 20090507 [oCERT-2009-001] Pango integer overflow in heap allocation size calculations
osvdb 54279
sectrack 1022196
secunia
  • 35018
  • 35021
  • 35027
  • 35038
  • 35685
  • 35914
  • 36005
  • 36145
sunalert 264308
suse
  • SUSE-SA:2009:039
  • SUSE-SA:2009:042
  • SUSE-SR:2009:012
ubuntu USN-773-1
vupen
  • ADV-2009-1269
  • ADV-2009-1972
xf pango-pangoglyphstringsetsize-bo(50397)
Last major update 21-08-2010 - 01:31
Published 11-05-2009 - 11:30
Last modified 10-10-2018 - 15:34
Back to Top