Vulnerabilities > CVE-2011-0064

CVSS 6.8 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

gnome

mozilla

nessus

NVD

Published: 2011-03-07

Updated: 2021-07-14

Summary

The hb_buffer_ensure function in hb-buffer.c in HarfBuzz, as used in Pango 1.28.3, Firefox, and other products, does not verify that memory reallocations succeed, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via crafted OpenType font data that triggers use of an incorrect index.

Vulnerable Configurations

Part	Description	Count
Application	Gnome Gnome Pango 1.28.3	1
Application	Mozilla Mozilla Firefox *	1

Nessus

NASL family	SuSE Local Security Checks
NASL id	SUSE_11_2_LIBPANGO-1_0-0-110301.NASL
description	Specially crafted font files could cause a heap corruption in applications linked against pango (CVE-2011-0064, CVE-2011-0020).
last seen	2020-06-01
modified	2020-06-02
plugin id	53753
published	2011-05-05
reporter	This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/53753
title	openSUSE Security Update : libpango-1_0-0 (openSUSE-SU-2011:0221-1)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update libpango-1_0-0-4076. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(53753); script_version("1.6"); script_cvs_date("Date: 2019/10/25 13:36:40"); script_cve_id("CVE-2011-0020", "CVE-2011-0064"); script_name(english:"openSUSE Security Update : libpango-1_0-0 (openSUSE-SU-2011:0221-1)"); script_summary(english:"Check for the libpango-1_0-0-4076 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "Specially crafted font files could cause a heap corruption in applications linked against pango (CVE-2011-0064, CVE-2011-0020)." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=666101" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=672502" ); script_set_attribute( attribute:"see_also", value:"https://lists.opensuse.org/opensuse-updates/2011-03/msg00019.html" ); script_set_attribute( attribute:"solution", value:"Update the affected libpango-1_0-0 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:pango"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:pango-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:pango-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:pango-module-thai-lang"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.2"); script_set_attribute(attribute:"patch_publication_date", value:"2011/03/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/05/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) \|\| release =~ "^(SLED\|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586\|i686\|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE11.2", reference:"pango-1.26.2-1.3.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"pango-devel-1.26.2-1.3.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"pango-module-thai-lang-1.26.2-1.3.1") ) flag++; if ( rpm_check(release:"SUSE11.2", cpu:"x86_64", reference:"pango-32bit-1.26.2-1.3.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "pango / pango-32bit / pango-devel / pango-module-thai-lang"); }

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2011-0309.NASL
description	From Red Hat Security Advisory 2011:0309 : Updated pango packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Pango is a library used for the layout and rendering of internationalized text. It was discovered that Pango did not check for memory reallocation failures in the hb_buffer_ensure() function. An attacker able to trigger a reallocation failure by passing sufficiently large input to an application using Pango could use this flaw to crash the application or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2011-0064) Red Hat would like to thank the Mozilla Security Team for reporting this issue. All pango users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, you must restart your system or restart the X server for the update to take effect.
last seen	2020-06-01
modified	2020-06-02
plugin id	68212
published	2013-07-12
reporter	This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/68212
title	Oracle Linux 6 : pango (ELSA-2011-0309)

NASL family	SuSE Local Security Checks
NASL id	SUSE_11_PANGO-110301.NASL
description	Specially crafted font files could cause a heap corruption in applications linked against pango. (CVE-2011-0064 / CVE-2011-0020)
last seen	2020-06-01
modified	2020-06-02
plugin id	52960
published	2011-03-24
reporter	This script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/52960
title	SuSE 11.1 Security Update : pango (SAT Patch Number 4065)

NASL family	SuSE Local Security Checks
NASL id	SUSE_11_3_LIBPANGO-1_0-0-110301.NASL
description	Specially crafted font files could cause a heap corruption in applications linked against pango (CVE-2011-0064, CVE-2011-0020).
last seen	2020-06-01
modified	2020-06-02
plugin id	75599
published	2014-06-13
reporter	This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/75599
title	openSUSE Security Update : libpango-1_0-0 (openSUSE-SU-2011:0221-1)

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20110301_PANGO_ON_SL6_X.NASL
description	It was discovered that Pango did not check for memory reallocation failures in the hb_buffer_ensure() function. An attacker able to trigger a reallocation failure by passing sufficiently large input to an application using Pango could use this flaw to crash the application or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2011-0064) After installing this update, you must restart your system or restart the X server for the update to take effect.
last seen	2020-06-01
modified	2020-06-02
plugin id	60970
published	2012-08-01
reporter	This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/60970
title	Scientific Linux Security Update : pango on SL6.x i386/x86_64

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2011-3194.NASL
description	It was discovered that pango did not check for memory reallocation failures in hb_buffer_ensure() function. This could trigger a NULL pointer dereference in hb_buffer_add_glyph(), where possibly untrusted input is used as an index used for accessing members of the incorrectly reallocated array, resulting in the use of NULL address as the base array address. This can result in application crash or, possibly, code execution. It was demonstrated that it
last seen	2020-06-01
modified	2020-06-02
plugin id	52696
published	2011-03-17
reporter	This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/52696
title	Fedora 14 : pango-1.28.1-5.fc14 (2011-3194)

NASL family	Mandriva Local Security Checks
NASL id	MANDRIVA_MDVSA-2011-040.NASL
description	A vulnerability has been found and corrected in pango : It was discovered that pango did not check for memory reallocation failures in hb_buffer_ensure() function. This could trigger a NULL pointer dereference in hb_buffer_add_glyph(), where possibly untrusted input is used as an index used for accessing members of the incorrectly reallocated array, resulting in the use of NULL address as the base array address. This can result in application crash or, possibly, code execution (CVE-2011-0064). The updated packages have been patched to correct this issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	52541
published	2011-03-04
reporter	This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/52541
title	Mandriva Linux Security Advisory : pango (MDVSA-2011:040)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2011-0309.NASL
description	Updated pango packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Pango is a library used for the layout and rendering of internationalized text. It was discovered that Pango did not check for memory reallocation failures in the hb_buffer_ensure() function. An attacker able to trigger a reallocation failure by passing sufficiently large input to an application using Pango could use this flaw to crash the application or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2011-0064) Red Hat would like to thank the Mozilla Security Team for reporting this issue. All pango users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, you must restart your system or restart the X server for the update to take effect.
last seen	2020-06-01
modified	2020-06-02
plugin id	52493
published	2011-03-02
reporter	This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/52493
title	RHEL 6 : pango (RHSA-2011:0309)

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-201405-13.NASL
description	The remote host is affected by the vulnerability described in GLSA-201405-13 (Pango: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Pango. Please review the CVE identifiers referenced below for details. Impact : A context-dependent attacker could entice a user to load specially crafted text using an application linked against Pango, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround : There is no known workaround at this time.
last seen	2020-06-01
modified	2020-06-02
plugin id	74056
published	2014-05-19
reporter	This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/74056
title	GLSA-201405-13 : Pango: Multiple vulnerabilities

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-2178.NASL
description	It was discovered that Pango did not check for memory allocation failures, causing a NULL pointer dereference with an adjustable offset. This can lead to application crashes and potentially arbitrary code execution. The oldstable distribution (lenny) is not affected by this problem.
last seen	2020-03-17
modified	2011-03-03
plugin id	52512
published	2011-03-03
reporter	This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/52512
title	Debian DSA-2178-1 : pango1.0 - NULL pointer dereference

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-1082-1.NASL
description	Marc Schoenefeld discovered that Pango incorrectly handled certain Glyph Definition (GDEF) tables. If a user were tricked into displaying text with a specially crafted font, an attacker could cause Pango to crash, resulting in a denial of service. This issue only affected Ubuntu 8.04 LTS and 9.10. (CVE-2010-0421) Dan Rosenberg discovered that Pango incorrectly handled certain FT_Bitmap objects. If a user were tricked into displaying text with a specially- crafted font, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program. The default compiler options for affected releases should reduce the vulnerability to a denial of service. (CVE-2011-0020) It was discovered that Pango incorrectly handled certain memory reallocation failures. If a user were tricked into displaying text in a way that would cause a reallocation failure, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program. This issue only affected Ubuntu 9.10, 10.04 LTS and 10.10. (CVE-2011-0064). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	52529
published	2011-03-03
reporter	Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/52529
title	Ubuntu 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : pango1.0 vulnerabilities (USN-1082-1)

Redhat

advisories

bugzilla

id	678563
title	CVE-2011-0064 pango: missing memory reallocation failure checking in hb_buffer_ensure

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 6 is installed
oval oval:com.redhat.rhba:tst:20111656003

AND
comment pango-devel is earlier than 0:1.28.1-3.el6_0.5
oval oval:com.redhat.rhsa:tst:20110309001
comment pango-devel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20152116012
AND
comment pango is earlier than 0:1.28.1-3.el6_0.5
oval oval:com.redhat.rhsa:tst:20110309003
comment pango is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20152116010

rhsa

id	RHSA-2011:0309
released	2011-03-01
severity	Critical
title	RHSA-2011:0309: pango security update (Critical)

rpms

pango-0:1.28.1-3.el6_0.5
pango-debuginfo-0:1.28.1-3.el6_0.5
pango-devel-0:1.28.1-3.el6_0.5

Vulnerabilities > CVE-2011-0064 {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Vulnerabilities","item":"https://cyber.vumetric.com/vulns/"},{"@type":"ListItem","position":2,"name":"CVE-2011-0064"}]}

Summary

Vulnerable Configurations

Nessus

Redhat

References

Vulnerabilities > CVE-2011-0064