The hb_buffer_ensure function in hb-buffer.c in HarfBuzz, as used in Pango 1.28.3, Firefox, and other products, does not verify that memory reallocations succeed, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via crafted OpenType font data that triggers use of an incorrect index.

Specially crafted font files could cause a heap corruption in applications linked against pango (CVE-2011-0064, CVE-2011-0020).

The remote host is affected by the vulnerability described in GLSA-201405-13 (Pango: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Pango. Please review       the CVE identifiers referenced below for details.
  Impact :

    A context-dependent attacker could entice a user to load specially       crafted text using an application linked against Pango, possibly       resulting in execution of arbitrary code with the privileges of the       process or a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

The remote Oracle Linux 6 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2011-0309 advisory.

    [1.28.1-3.el6_0.5]
    - Prevent an integer overflow in hb_buffer_ensure()     Related: #679693

    [1.28.1-3.el6_0.4]
    - Check for realloc failures in hb_buffer_ensure() (CVE-2011-0064)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It was discovered that Pango did not check for memory reallocation failures in the hb_buffer_ensure() function. An attacker able to trigger a reallocation failure by passing sufficiently large input to an application using Pango could use this flaw to crash the application or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2011-0064)

After installing this update, you must restart your system or restart the X server for the update to take effect.

Specially crafted font files could cause a heap corruption in applications linked against pango. (CVE-2011-0064 / CVE-2011-0020)

It was discovered that pango did not check for memory reallocation failures in hb_buffer_ensure() function. This could trigger a NULL pointer dereference in hb_buffer_add_glyph(), where possibly untrusted input is used as an index used for accessing members of the incorrectly reallocated array, resulting in the use of NULL address as the base array address. This can result in application crash or, possibly, code execution.

It was demonstrated that it's possible to trigger this flaw in Firefox via a specially crafted web page.

Mozilla bug report (currently not public):
https://bugzilla.mozilla.org/show_bug.cgi?id=606997

Fix in the harfbuzz git:
http://cgit.freedesktop.org/harfbuzz/commit/?id=a6a79df5fe2e

Acknowledgements :

Red Hat would like to thank Mozilla Security Team for reporting this issue.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A vulnerability has been found and corrected in pango :

It was discovered that pango did not check for memory reallocation failures in hb_buffer_ensure() function. This could trigger a NULL pointer dereference in hb_buffer_add_glyph(), where possibly untrusted input is used as an index used for accessing members of the incorrectly reallocated array, resulting in the use of NULL address as the base array address. This can result in application crash or, possibly, code execution (CVE-2011-0064).

The updated packages have been patched to correct this issue.

Marc Schoenefeld discovered that Pango incorrectly handled certain Glyph Definition (GDEF) tables. If a user were tricked into displaying text with a specially crafted font, an attacker could cause Pango to crash, resulting in a denial of service. This issue only affected Ubuntu 8.04 LTS and 9.10. (CVE-2010-0421)

Dan Rosenberg discovered that Pango incorrectly handled certain FT_Bitmap objects. If a user were tricked into displaying text with a specially- crafted font, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program. The default compiler options for affected releases should reduce the vulnerability to a denial of service. (CVE-2011-0020)

It was discovered that Pango incorrectly handled certain memory reallocation failures. If a user were tricked into displaying text in a way that would cause a reallocation failure, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program. This issue only affected Ubuntu 9.10, 10.04 LTS and 10.10. (CVE-2011-0064).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that Pango did not check for memory allocation failures, causing a NULL pointer dereference with an adjustable offset. This can lead to application crashes and potentially arbitrary code execution.

The oldstable distribution (lenny) is not affected by this problem.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2011:0309 advisory.

  - pango: missing memory reallocation failure checking in hb_buffer_ensure (CVE-2011-0064)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
75599	openSUSE Security Update : libpango-1_0-0 (openSUSE-SU-2011:0221-1)	Nessus	SuSE Local Security Checks	high
74056	GLSA-201405-13 : Pango: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
68212	Oracle Linux 6 : pango (ELSA-2011-0309)	Nessus	Oracle Linux Local Security Checks	high
60970	Scientific Linux Security Update : pango on SL6.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
53753	openSUSE Security Update : libpango-1_0-0 (openSUSE-SU-2011:0221-1)	Nessus	SuSE Local Security Checks	high
52960	SuSE 11.1 Security Update : pango (SAT Patch Number 4065)	Nessus	SuSE Local Security Checks	high
52696	Fedora 14 : pango-1.28.1-5.fc14 (2011-3194)	Nessus	Fedora Local Security Checks	medium
52541	Mandriva Linux Security Advisory : pango (MDVSA-2011:040)	Nessus	Mandriva Local Security Checks	medium
52529	Ubuntu 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : pango1.0 vulnerabilities (USN-1082-1)	Nessus	Ubuntu Local Security Checks	high
52512	Debian DSA-2178-1 : pango1.0 - NULL pointer dereference	Nessus	Debian Local Security Checks	medium
52493	RHEL 6 : pango (RHSA-2011:0309)	Nessus	Red Hat Local Security Checks	critical

Detections

Analytics

CVE-2011-0064

high

Tenable Plugins

high

critical

high

medium

high

high

medium

medium

high

medium

critical