CVE-2018-15120
published 2018-08-24CVE-2018-15120: libpango in Pango 1.40.8 through 1.42.3, as used in hexchat and other products, allows remote attackers to cause a denial of service (application crash) or…
PriorityP340medium6.5CVSS 3.1
AVNACLPRNUIRSUCNINAH
EXPLOIT
EPSS
11.50%
95.5th percentile
libpango in Pango 1.40.8 through 1.42.3, as used in hexchat and other products, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted text with invalid Unicode sequences.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| debian | pango1.0 | < pango1.0 1.42.4-1 (bookworm) | pango1.0 1.42.4-1 (bookworm) |
| gnome | pango | 1.40.8 – 1.42.3 | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv6.5MEDIUM
vendor_debian6.5LOW
vendor_redhat6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6gmw-hfp8-7f52: libpango in Pango 1
ghsa_unreviewed·2022-05-13
CVE-2018-15120 [MEDIUM] CWE-119 GHSA-6gmw-hfp8-7f52: libpango in Pango 1
libpango in Pango 1.40.8 through 1.42.3, as used in hexchat and other products, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted text with invalid Unicode sequences.
OSV
CVE-2018-15120: libpango in Pango 1
osv·2018-08-24·CVSS 6.5
CVE-2018-15120 [MEDIUM] CVE-2018-15120: libpango in Pango 1
libpango in Pango 1.40.8 through 1.42.3, as used in hexchat and other products, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted text with invalid Unicode sequences.
Ubuntu
Pango vulnerability
vendor_ubuntu·2018-08-22
CVE-2018-15120 Pango vulnerability
Title: Pango vulnerability
Summary: Pango could be made to crash if it opened a specially crafted file.
Jeffrey M. discovered that Pango incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service.
Instructions: After a standard system update you need to restart your session to make
all the necessary changes.
Red Hat
pango: application crash triggered by unicode chars in pango-emoji.c
vendor_redhat·2018-08-20·CVSS 6.5
CVE-2018-15120 [MEDIUM] CWE-617 pango: application crash triggered by unicode chars in pango-emoji.c
pango: application crash triggered by unicode chars in pango-emoji.c
libpango in Pango 1.40.8 through 1.42.3, as used in hexchat and other products, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted text with invalid Unicode sequences.
Statement: This issue did not affect the versions of pango as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they did not include support for emojis.
Package: pango (Red Hat Enterprise Linux 5) - Not affected
Package: pango (Red Hat Enterprise Linux 6) - Not affected
Package: pango (Red Hat Enterprise Linux 7) - Not affected
Package: pango (Red Hat Enterprise Linux 8) - Not affected
Package: pango (Red Hat OpenShift Enterprise 3) - Not affected
Debian
CVE-2018-15120: pango1.0 - libpango in Pango 1.40.8 through 1.42.3, as used in hexchat and other products, ...
vendor_debian·2018·CVSS 6.5
CVE-2018-15120 [MEDIUM] CVE-2018-15120: pango1.0 - libpango in Pango 1.40.8 through 1.42.3, as used in hexchat and other products, ...
libpango in Pango 1.40.8 through 1.42.3, as used in hexchat and other products, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted text with invalid Unicode sequences.
Scope: local
bookworm: resolved (fixed in 1.42.4-1)
bullseye: resolved (fixed in 1.42.4-1)
forky: resolved (fixed in 1.42.4-1)
sid: resolved (fixed in 1.42.4-1)
trixie: resolved (fixed in 1.42.4-1)
No detection rules found.
Bugzilla
CVE-2018-15120 pango: application crash triggered by unicode chars in pango-emoji.c [fedora-all]
bugzilla·2018-08-21·CVSS 6.5
CVE-2018-15120 [MEDIUM] CVE-2018-15120 pango: application crash triggered by unicode chars in pango-emoji.c [fedora-all]
CVE-2018-15120 pango: application crash triggered by unicode chars in pango-emoji.c [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple
Bugzilla
CVE-2018-15120 pango: application crash triggered by unicode chars in pango-emoji.c
bugzilla·2018-08-07·CVSS 6.5
CVE-2018-15120 [MEDIUM] CVE-2018-15120 pango: application crash triggered by unicode chars in pango-emoji.c
CVE-2018-15120 pango: application crash triggered by unicode chars in pango-emoji.c
A flaw was found in Pango since versions 1.40.8 up to newer. Typing certain invalid Emoji sequences into a GTK+ application can trigger a Reachable Assertion resulting in an application crash.
Discussion:
Statement:
This issue did not affect the versions of pango as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they did not include support for emojis.
---
References:
https://mail.gnome.org/archives/distributor-list/2018-August/msg00001.html
Upstream patch:
https://gitlab.gnome.org/GNOME/pango/commit/71aaeaf020340412b8d012fe23a556c0420eda5f
---
Created pango tracking bugs for this issue:
Affects: fedora-all [bug 1619831]
---
Acknowledgments:
Name: Jeffery M
Upstream: GNOME Project
http://52.117.224.77/xfce4-pdos.webmhttps://github.com/GNOME/pango/blob/1.42.4/NEWShttps://github.com/GNOME/pango/commit/71aaeaf020340412b8d012fe23a556c0420eda5fhttps://i.redd.it/v7p4n2ptu0s11.jpghttps://mail.gnome.org/archives/distributor-list/2018-August/msg00001.htmlhttps://security.gentoo.org/glsa/201811-07https://usn.ubuntu.com/3750-1/https://www.exploit-db.com/exploits/45263https://www.exploit-db.com/exploits/45263/https://www.ign.com/articles/2018/10/16/ps4s-are-reportedly-being-bricked-and-sony-is-working-on-a-fixhttps://www.reddit.com/r/PS4/comments/9o5efg/message_bricking_console_megathread/http://52.117.224.77/xfce4-pdos.webmhttps://github.com/GNOME/pango/blob/1.42.4/NEWShttps://github.com/GNOME/pango/commit/71aaeaf020340412b8d012fe23a556c0420eda5fhttps://i.redd.it/v7p4n2ptu0s11.jpghttps://mail.gnome.org/archives/distributor-list/2018-August/msg00001.htmlhttps://security.gentoo.org/glsa/201811-07https://usn.ubuntu.com/3750-1/https://www.exploit-db.com/exploits/45263https://www.exploit-db.com/exploits/45263/https://www.ign.com/articles/2018/10/16/ps4s-are-reportedly-being-bricked-and-sony-is-working-on-a-fixhttps://www.reddit.com/r/PS4/comments/9o5efg/message_bricking_console_megathread/
2018-08-24
Published