Ubuntu

Heap corruption in font parsing with FreeType2 backend

Reported by Dan Rosenberg on 2011-01-02
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Pango
Fix Released
Medium
pango1.0 (Debian)
Fix Released
Unknown
pango1.0 (Ubuntu)
Medium
Martin Pitt
Maverick
Undecided
Unassigned
Natty
Medium
Martin Pitt

Bug Description

When used with FreeType2 as a backend, Pango is vulnerable to heap corruption when rendering malformed fonts. The vulnerability occurs in pango_ft2_font_render_box_glyph() in pango/pangoft2-render.c. A buffer is malloc'd with size box->bitmap.rows * box->bitmap.pitch. Subsequently, 0xff is written at offsets into this buffer without checking that these offsets fall within the buffer's boundaries, leading to heap corruption.

I tested this against Lucid (Pango 1.28.0) and upstream (Pango 1.28.3).

I've attached a fuzzed version of the FreeSerif TrueType font ("crash.ttf") that can be used to reproduce this corruption as follows, using the test-mixed.txt file included in the pango-view directory of the source tree (also attached):

# cp /usr/share/fonts/truetype/freefont/FreeSerif.ttf /usr/share/fonts/truetype/freefont/FreeSerif.ttf.bak
# cp crash.ttf /usr/share/fonts/truetype/freefont/FreeSerif.ttf
# pango-view --backend=ft2 --font=FreeSerif test-mixed.txt
*** glibc detected *** pango-view: malloc(): memory corruption: 0x000000000116cfa0 ***
======= Backtrace: =========
...

Dan Rosenberg (dan-j-rosenberg) wrote :
Dan Rosenberg (dan-j-rosenberg) wrote :
Changed in pango1.0 (Ubuntu):
assignee: nobody → Kees Cook (kees)
description: updated
visibility: private → public
Kees Cook (kees) on 2011-01-18
Changed in pango1.0 (Ubuntu):
assignee: Kees Cook (kees) → nobody
status: New → Confirmed
importance: Undecided → Low
Changed in pango1.0 (Ubuntu):
status: Confirmed → Triaged
Changed in pango:
importance: Unknown → Medium
status: Unknown → New
Changed in pango1.0 (Debian):
status: Unknown → New
Changed in pango1.0 (Debian):
status: New → Fix Released
Changed in pango1.0 (Ubuntu):
status: Triaged → Fix Committed
Changed in pango:
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pango1.0 - 1.28.2-0ubuntu1.1

---------------
pango1.0 (1.28.2-0ubuntu1.1) maverick-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    crafted font file (LP: #696616)
    - debian/patches/20_CVE-2011-0020.patch: check for overflow in
      pango/pangoft2-render.c.
    - CVE-2011-0020
  * SECURITY UPDATE: denial of service and possible code execution via
    unchecked realloc failures
    - debian/patches/21_CVE-2011-0064.patch: check for realloc failures in
      pango/opentype/hb-buffer.*, pango/opentype/hb-buffer-private.h.
    - CVE-2011-0064
 -- Marc Deslauriers <email address hidden> Tue, 01 Mar 2011 09:35:52 -0500

Changed in pango1.0 (Ubuntu):
status: Fix Committed → Fix Released
Martin Pitt (pitti) wrote :

This was fixed forMaverick, but natty is still vulnerable.

Changed in pango1.0 (Ubuntu Maverick):
status: New → Fix Released
Changed in pango1.0 (Ubuntu Natty):
assignee: nobody → Martin Pitt (pitti)
importance: Low → Medium
status: Fix Released → In Progress
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pango1.0 - 1.28.3-4ubuntu1

---------------
pango1.0 (1.28.3-4ubuntu1) natty; urgency=low

  * Merge changes from 1.28.3-1+squeeze1:
    - 01_CVE-2011-0020.patch: patch from Behdad Esfahbod to fix heap
      corruption. Closes: #610792, CVE-2011-0020. LP: #696616.
  * Merge changes from 1.28.3-2~sid1:
    - 02_CVE-2011-0064.patch: patch from Behdad Esfahbod and Karl Tomlinson to
      fix buffer overwrite on OOM realloc failure. CVE-2011-0064, Mozilla
      #606997.
  * Add 00git_gi_annotations.patch: Cherrypick GI annotation fixes from
    upstream trunk.
  * debian/rules: Remove upstream shipped pango/*.gir to force their
    regeneration during package build.
 -- Martin Pitt <email address hidden> Thu, 10 Mar 2011 11:34:30 +0100

Changed in pango1.0 (Ubuntu Natty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.