CVE-2009-1194
published 2009-05-11CVE-2009-1194: Integer overflow in the pango_glyph_string_set_size function in pango/glyphstring.c in Pango before 1.24 allows context-dependent attackers to cause a denial…
PriorityP428medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
4.13%
89.6th percentile
Integer overflow in the pango_glyph_string_set_size function in pango/glyphstring.c in Pango before 1.24 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long glyph string that triggers a heap-based buffer overflow, as demonstrated by a long document.location value in Firefox.
Affected
95 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | pango1.0 | < pango1.0 1.24.0-2 (bookworm) | pango1.0 1.24.0-2 (bookworm) |
| mozilla | firefox | <= 3.0.11 | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8MEDIUM
vendor_redhat6.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
pango: pango_glyph_string_set_size integer overflow
vendor_redhat·2009-05-07·CVSS 6.8
CVE-2009-1194 [MEDIUM] CWE-190 pango: pango_glyph_string_set_size integer overflow
pango: pango_glyph_string_set_size integer overflow
Integer overflow in the pango_glyph_string_set_size function in pango/glyphstring.c in Pango before 1.24 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long glyph string that triggers a heap-based buffer overflow, as demonstrated by a long document.location value in Firefox.
Ubuntu
Pango vulnerability
vendor_ubuntu·2009-05-07
CVE-2009-1194 Pango vulnerability
Title: Pango vulnerability
Summary: Pango vulnerability
Will Drewry discovered that Pango incorrectly handled rendering text with
long glyphstrings. If a user were tricked into displaying specially crafted
data with applications linked against Pango, such as Firefox, an attacker
could cause a denial of service or execute arbitrary code with privileges
of the user invoking the program.
Instructions: After a standard system upgrade you need to restart your session to effect
the necessary changes.
Debian
CVE-2009-1194: pango1.0 - Integer overflow in the pango_glyph_string_set_size function in pango/glyphstrin...
vendor_debian·2009·CVSS 6.8
CVE-2009-1194 [MEDIUM] CVE-2009-1194: pango1.0 - Integer overflow in the pango_glyph_string_set_size function in pango/glyphstrin...
Integer overflow in the pango_glyph_string_set_size function in pango/glyphstring.c in Pango before 1.24 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long glyph string that triggers a heap-based buffer overflow, as demonstrated by a long document.location value in Firefox.
Scope: local
bookworm: resolved (fixed in 1.24.0-2)
bullseye: resolved (fixed in 1.24.0-2)
forky: resolved (fixed in 1.24.0-2)
sid: resolved (fixed in 1.24.0-2)
trixie: resolved (fixed in 1.24.0-2)
GHSA
GHSA-2635-v9v9-3f2h: Integer overflow in the pango_glyph_string_set_size function in pango/glyphstring
ghsa_unreviewed·2022-05-02
CVE-2009-1194 [MEDIUM] GHSA-2635-v9v9-3f2h: Integer overflow in the pango_glyph_string_set_size function in pango/glyphstring
Integer overflow in the pango_glyph_string_set_size function in pango/glyphstring.c in Pango before 1.24 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long glyph string that triggers a heap-based buffer overflow, as demonstrated by a long document.location value in Firefox.
GHSA
GHSA-2fgv-c9q9-5wwh: Integer overflow in Apple CoreGraphics, as used in Safari before 4
ghsa_unreviewed·2022-05-02·CVSS 6.8
CVE-2009-2468 [MEDIUM] GHSA-2fgv-c9q9-5wwh: Integer overflow in Apple CoreGraphics, as used in Safari before 4
Integer overflow in Apple CoreGraphics, as used in Safari before 4.0.3, Mozilla Firefox before 3.0.12, and Mac OS X 10.4.11 and 10.5.8, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long text run that triggers a heap-based buffer overflow during font glyph rendering, a related issue to CVE-2009-1194.
OSV
CVE-2009-1194: Integer overflow in the pango_glyph_string_set_size function in pango/glyphstring
osv·2009-05-11·CVSS 6.8
CVE-2009-1194 [MEDIUM] CVE-2009-1194: Integer overflow in the pango_glyph_string_set_size function in pango/glyphstring
Integer overflow in the pango_glyph_string_set_size function in pango/glyphstring.c in Pango before 1.24 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long glyph string that triggers a heap-based buffer overflow, as demonstrated by a long document.location value in Firefox.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2009-1194 pango: pango_glyph_string_set_size integer overflow
bugzilla·2009-05-26·CVSS 6.8
CVE-2009-1194 [MEDIUM] CVE-2009-1194 pango: pango_glyph_string_set_size integer overflow
CVE-2009-1194 pango: pango_glyph_string_set_size integer overflow
This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in all affected branches.
For comments that are specific to the vulnerability please use bugs filed against "Security Response" product referenced in "Blocks" field.
bug #496887: CVE-2009-1194 pango: pango_glyph_string_set_size integer overflow
When creating a Bodhi update request, please include the bug IDs of the respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available and only close this bug once all affected Fedora versions are fixed.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&
Bugzilla
CVE-2009-1194 pango: pango_glyph_string_set_size integer overflow
bugzilla·2009-04-21·CVSS 6.8
CVE-2009-1194 [MEDIUM] CVE-2009-1194 pango: pango_glyph_string_set_size integer overflow
CVE-2009-1194 pango: pango_glyph_string_set_size integer overflow
Will Drewry reported an integer overflow flaw in pango's pango_glyph_string_set_size in pango/glyphstring.c:
61 while (new_len > string->space)
62 {
63 if (string->space == 0)
64 string->space = 1;
65 else
66 string->space *= 2;
67
68 if (string->space space = G_MAXINT - 8;
72 }
73 }
74
75 string->glyphs = g_realloc (string->glyphs, string->space * sizeof (PangoGlyphInfo));
string->space is checked against overflow when doubling it, but is not protected against overflow when multiplied by sizeof(PangoGlyphInfo).
Upstream fix:
http://github.com/bratsche/pango/commit/4de30e5500eaeb49f4bf0b7a07f718e149a2ed5e
Acknowledgements:
Red Hat would like to thank Will Drewry for reporting this issue.
Discussion:
According to Will
http://github.com/bratsche/pango/commit/4de30e5500eaeb49f4bf0b7a07f718e149a2ed5ehttp://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-07/msg00005.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-08/msg00002.htmlhttp://osvdb.org/54279http://secunia.com/advisories/35018http://secunia.com/advisories/35021http://secunia.com/advisories/35027http://secunia.com/advisories/35038http://secunia.com/advisories/35685http://secunia.com/advisories/35914http://secunia.com/advisories/36005http://secunia.com/advisories/36145http://sunsolve.sun.com/search/document.do?assetkey=1-66-264308-1http://www.debian.org/security/2009/dsa-1798http://www.mozilla.org/security/announce/2009/mfsa2009-36.htmlhttp://www.ocert.org/advisories/ocert-2009-001.htmlhttp://www.openwall.com/lists/oss-security/2009/05/07/1http://www.redhat.com/support/errata/RHSA-2009-0476.htmlhttp://www.securityfocus.com/archive/1/503349/100/0/threadedhttp://www.securityfocus.com/bid/34870http://www.securityfocus.com/bid/35758http://www.securitytracker.com/id?1022196http://www.ubuntu.com/usn/USN-773-1http://www.vupen.com/english/advisories/2009/1269http://www.vupen.com/english/advisories/2009/1972https://bugzilla.mozilla.org/show_bug.cgi?id=480134https://bugzilla.redhat.com/show_bug.cgi?id=496887https://exchange.xforce.ibmcloud.com/vulnerabilities/50397https://launchpad.net/bugs/cve/2009-1194https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10137http://github.com/bratsche/pango/commit/4de30e5500eaeb49f4bf0b7a07f718e149a2ed5ehttp://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-07/msg00005.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-08/msg00002.htmlhttp://osvdb.org/54279http://secunia.com/advisories/35018http://secunia.com/advisories/35021http://secunia.com/advisories/35027http://secunia.com/advisories/35038http://secunia.com/advisories/35685http://secunia.com/advisories/35914http://secunia.com/advisories/36005http://secunia.com/advisories/36145http://sunsolve.sun.com/search/document.do?assetkey=1-66-264308-1http://www.debian.org/security/2009/dsa-1798http://www.mozilla.org/security/announce/2009/mfsa2009-36.htmlhttp://www.ocert.org/advisories/ocert-2009-001.htmlhttp://www.openwall.com/lists/oss-security/2009/05/07/1http://www.redhat.com/support/errata/RHSA-2009-0476.htmlhttp://www.securityfocus.com/archive/1/503349/100/0/threadedhttp://www.securityfocus.com/bid/34870http://www.securityfocus.com/bid/35758http://www.securitytracker.com/id?1022196http://www.ubuntu.com/usn/USN-773-1http://www.vupen.com/english/advisories/2009/1269http://www.vupen.com/english/advisories/2009/1972https://bugzilla.mozilla.org/show_bug.cgi?id=480134https://bugzilla.redhat.com/show_bug.cgi?id=496887https://exchange.xforce.ibmcloud.com/vulnerabilities/50397https://launchpad.net/bugs/cve/2009-1194https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10137
2009-05-11
Published