| 2011-01-02 20:48:40 |
Dan Rosenberg |
bug |
|
|
added bug |
| 2011-01-02 20:48:40 |
Dan Rosenberg |
attachment added |
|
Malformed font file causes heap corruption https://bugs.launchpad.net/bugs/696616/+attachment/1781981/+files/crash.ttf |
|
| 2011-01-02 20:49:11 |
Dan Rosenberg |
attachment added |
|
Sample text file to trigger crash https://bugs.launchpad.net/ubuntu/+source/pango1.0/+bug/696616/+attachment/1781982/+files/test-mixed.txt |
|
| 2011-01-12 21:14:00 |
Marc Deslauriers |
pango1.0 (Ubuntu): assignee |
|
Kees Cook (kees) |
|
| 2011-01-18 19:26:17 |
Dan Rosenberg |
description |
When used with FreeType2 as a backend, Pango is vulnerable to heap corruption when rendering malformed fonts. The vulnerability occurs in pango_ft2_font_render_box_glyph() in pango/pangoft2-render.c. A buffer is malloc'd with size box->bitmap.rows * box->bitmap.pitch. Subsequently, 0xff is written at offsets into this buffer without checking that these offsets fall within the buffer's boundaries, leading to heap corruption.
I tested this against Lucid (Pango 1.28.0) and upstream (Pango 1.28.3).
I've attached a fuzzed version of the FreeSerif TrueType font ("crash.ttf") that can be used to reproduce this corruption as follows, using the test-mixed.txt file included in the pango-view directory of the source tree (also attached):
# cp /usr/share/fonts/truetype/freefont/FreeSerif.ttf /usr/share/fonts/truetype/freefont/FreeSerif.ttf.bak
# cp crash.ttf /usr/share/fonts/truetype/freefont/FreeSerif.ttf
# pango-view --backend=ft2 --font=FreeSerif test-mixed.txt
*** glibc detected *** pango-view: malloc(): memory corruption: 0x000000000116cfa0 ***
======= Backtrace: =========
... |
When used with FreeType2 as a backend, Pango is vulnerable to heap corruption when rendering malformed fonts. The vulnerability occurs in pango_ft2_font_render_box_glyph() in pango/pangoft2-render.c. A buffer is malloc'd with size box->bitmap.rows * box->bitmap.pitch. Subsequently, 0xff is written at offsets into this buffer without checking that these offsets fall within the buffer's boundaries, leading to heap corruption.
I tested this against Lucid (Pango 1.28.0) and upstream (Pango 1.28.3).
I've attached a fuzzed version of the FreeSerif TrueType font ("crash.ttf") that can be used to reproduce this corruption as follows, using the test-mixed.txt file included in the pango-view directory of the source tree (also attached):
# cp /usr/share/fonts/truetype/freefont/FreeSerif.ttf /usr/share/fonts/truetype/freefont/FreeSerif.ttf.bak
# cp crash.ttf /usr/share/fonts/truetype/freefont/FreeSerif.ttf
# pango-view --backend=ft2 --font=FreeSerif test-mixed.txt
*** glibc detected *** pango-view: malloc(): memory corruption: 0x000000000116cfa0 ***
======= Backtrace: =========
...
|
|
| 2011-01-18 19:27:31 |
Dan Rosenberg |
visibility |
private |
public |
|
| 2011-01-18 19:40:19 |
Kees Cook |
bug watch added |
|
https://bugzilla.gnome.org/show_bug.cgi?id=639882 |
|
| 2011-01-18 19:40:19 |
Kees Cook |
bug task added |
|
pango |
|
| 2011-01-18 19:40:26 |
Kees Cook |
pango1.0 (Ubuntu): assignee |
Kees Cook (kees) |
|
|
| 2011-01-18 19:40:30 |
Kees Cook |
pango1.0 (Ubuntu): status |
New |
Confirmed |
|
| 2011-01-18 19:40:34 |
Kees Cook |
pango1.0 (Ubuntu): importance |
Undecided |
Low |
|
| 2011-01-18 19:42:23 |
Sebastien Bacher |
pango1.0 (Ubuntu): status |
Confirmed |
Triaged |
|
| 2011-01-21 09:38:12 |
Bug Watch Updater |
pango: status |
Unknown |
New |
|
| 2011-01-21 09:38:12 |
Bug Watch Updater |
pango: importance |
Unknown |
Medium |
|
| 2011-01-22 18:34:30 |
cyrillic |
bug watch added |
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610792 |
|
| 2011-01-22 18:34:30 |
cyrillic |
bug task added |
|
pango1.0 (Debian) |
|
| 2011-01-22 19:16:06 |
Bug Watch Updater |
pango1.0 (Debian): status |
Unknown |
New |
|
| 2011-01-25 09:32:32 |
Launchpad Janitor |
branch linked |
|
lp:debian/sid/pango1.0 |
|
| 2011-01-25 19:43:16 |
Bug Watch Updater |
pango1.0 (Debian): status |
New |
Fix Released |
|
| 2011-02-08 19:19:41 |
Sebastien Bacher |
pango1.0 (Ubuntu): status |
Triaged |
Fix Committed |
|
| 2011-02-18 03:53:58 |
Bug Watch Updater |
pango: status |
New |
Fix Released |
|
| 2011-02-18 16:58:38 |
Marc Deslauriers |
cve linked |
|
2011-0020 |
|
| 2011-03-02 15:04:15 |
Launchpad Janitor |
pango1.0 (Ubuntu): status |
Fix Committed |
Fix Released |
|
| 2011-03-02 15:04:15 |
Launchpad Janitor |
cve linked |
|
2011-0064 |
|
| 2011-03-02 15:30:52 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/karmic-security/pango1.0 |
|
| 2011-03-02 15:30:56 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/hardy-security/pango1.0 |
|
| 2011-03-02 15:32:31 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/maverick-security/pango1.0 |
|
| 2011-03-02 15:32:38 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/lucid-security/pango1.0 |
|
| 2011-03-10 10:37:04 |
Martin Pitt |
nominated for series |
|
Ubuntu Maverick |
|
| 2011-03-10 10:37:04 |
Martin Pitt |
bug task added |
|
pango1.0 (Ubuntu Maverick) |
|
| 2011-03-10 10:37:04 |
Martin Pitt |
nominated for series |
|
Ubuntu Natty |
|
| 2011-03-10 10:37:04 |
Martin Pitt |
bug task added |
|
pango1.0 (Ubuntu Natty) |
|
| 2011-03-10 10:37:23 |
Martin Pitt |
pango1.0 (Ubuntu Maverick): status |
New |
Fix Released |
|
| 2011-03-10 10:37:36 |
Martin Pitt |
pango1.0 (Ubuntu Natty): importance |
Low |
Medium |
|
| 2011-03-10 10:37:36 |
Martin Pitt |
pango1.0 (Ubuntu Natty): status |
Fix Released |
In Progress |
|
| 2011-03-10 10:37:36 |
Martin Pitt |
pango1.0 (Ubuntu Natty): assignee |
|
Martin Pitt (pitti) |
|
| 2011-03-10 10:38:09 |
Martin Pitt |
pango1.0 (Ubuntu Natty): status |
In Progress |
Fix Committed |
|
| 2011-03-10 10:39:36 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/pango1.0 |
|
| 2011-03-10 11:30:11 |
Launchpad Janitor |
pango1.0 (Ubuntu Natty): status |
Fix Committed |
Fix Released |
|
| 2011-03-19 21:40:40 |
Launchpad Janitor |
branch linked |
|
lp:debian/squeeze/ia32-libs-gtk |
|
