Gnome Pango vulnerabilities

6 known vulnerabilities affecting gnome/pango.

Total CVEs

6

CISA KEV

0

Public exploits

2

Exploited in wild

0

Severity breakdown

CRITICAL2HIGH1MEDIUM3

Vulnerabilities

Page 1 of 1

CVE-2019-1010238CRITICALCVSS 9.8≥ 1.42.0, ≤ 1.44v1.42 and later2019-07-19

CVE-2019-1010238 [CRITICAL] CWE-787 CVE-2019-1010238: Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is: The heap based buffer ove Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is: The heap based buffer overflow can be used to get code execution. The component is: function name: pango_log2vis_get_embedding_levels, assignment of nchars and the loop condition. The attack vector is: Bug can be used when application pass invalid utf-8 strings to funct

CVE-2018-15120MEDIUMCVSS 6.5PoC≥ 1.40.8, ≤ 1.42.32018-08-24

CVE-2018-15120 [MEDIUM] CWE-119 CVE-2018-15120: libpango in Pango 1.40.8 through 1.42.3, as used in hexchat and other products, allows remote attack libpango in Pango 1.40.8 through 1.42.3, as used in hexchat and other products, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted text with invalid Unicode sequences.

CVE-2011-3193CRITICALCVSS 9.3fixed in 1.25.12012-06-16

CVE-2011-3193 [CRITICAL] CWE-787 CVE-2011-3193: Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos. Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.

CVE-2011-0064MEDIUMCVSS 6.8v1.28.32011-03-07

CVE-2011-0064 [MEDIUM] CVE-2011-0064: The hb_buffer_ensure function in hb-buffer.c in HarfBuzz, as used in Pango 1.28.3, Firefox, and othe The hb_buffer_ensure function in hb-buffer.c in HarfBuzz, as used in Pango 1.28.3, Firefox, and other products, does not verify that memory reallocations succeed, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via crafted OpenType font data that triggers use of an

CVE-2011-0020HIGHCVSS 7.6PoC≤ 1.28.3v1.28.0+2 more2011-01-24

CVE-2011-0020 [HIGH] CWE-119 CVE-2011-0020: Heap-based buffer overflow in the pango_ft2_font_render_box_glyph function in pango/pangoft2-render. Heap-based buffer overflow in the pango_ft2_font_render_box_glyph function in pango/pangoft2-render.c in libpango in Pango 1.28.3 and earlier, when the FreeType2 backend is enabled, allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file, related to the glyph box f

CVE-2010-0421MEDIUMCVSS 4.3≤ 1.272010-03-18

CVE-2010-0421 [MEDIUM] CWE-119 CVE-2010-0421: Array index error in the hb_ot_layout_build_glyph_classes function in pango/opentype/hb-ot-layout.cc Array index error in the hb_ot_layout_build_glyph_classes function in pango/opentype/hb-ot-layout.cc in Pango before 1.27.1 allows context-dependent attackers to cause a denial of service (application crash) via a crafted font file, related to building a synthetic Glyph Definition (aka GDEF) table by using this font's charmap and the Unicode property