Bug#933860: pango1.0: CVE-2019-1010238

Salvatore Bonaccorso carnil at debian.org
Fri Aug 9 16:29:58 BST 2019 

Hi Simon,

On Sun, Aug 04, 2019 at 07:05:42PM +0100, Simon McVittie wrote:
> https://gitlab.gnome.org/GNOME/pango/issues/342 has now been unembargoed.
> 
> On Sun, 04 Aug 2019 at 19:21:29 +0200, Salvatore Bonaccorso wrote:
> > Is there some indication which upstream code change introduced
> > hte issue so we can try to narrow this down?
> 
> Not as far as I can see, but I am not a Pango expert. Perhaps someone
> else in the GNOME team has some insight here?
> 
> > Re the no-dsa/dsa question, the added severity does not necessarly
> > imply that, actually to be on safe side I should have choosen grave
> > (which then can be lowered if not appropriate). The problem was simply
> > I cannot determine good enough the impact and exploiting/attack
> > scenarios.
> > 
> > Does the upstream bug give more details which can help on that?
> 
> The upstream bug reporter writes:
> 
>     [The segfault] happens because g_utf8_strlen("\xf8")
>     is zero, so n_chars will be zero at this point:
>     https://gitlab.gnome.org/GNOME/pango/blob/eb2c647ff693bf3218fd1772f11a008bfbc975e7/pango/pango-bidi-type.c#L173
> 
>     But because length = 1, the loop at
>     https://gitlab.gnome.org/GNOME/pango/blob/eb2c647ff693bf3218fd1772f11a008bfbc975e7/pango/pango-bidi-type.c#L181
>     still executes at least one time, leading to a NULL pointer
>     dereference (g_new(.., 0) = NULL)).
> 
>     In general, this issue leads to an out-of-bounds heap write and can
>     be triggered via pango_itemize if the bytes passed to pango_itemize
>     are user-controlled.
> 
> I hope that's helpful.
> 
> Sorry, I don't know enough about Pango to know whether it's reasonable
> to pass malformed UTF-8 to pango_itemize(), or whether this can happen in
> practice in (for example) web browsers.

I tried to get an idea, as well consulting codesearch. It's not fully
clear to me. But given there stuff like qtwebkit and qt4-x11 in the
list I guess we are safer off if we release a DSA and say something
along the lines of "denial of service and potentially the execution of
arbitrary code".

Do you have free cycles to prepare the update for buster-security?

I think we can simply go with a 1.42.4-7~deb10u1 as "rebuild for
buster-security".

Thank you for your time so far!

Regards,
Salvatore

More information about the pkg-gnome-maintainers mailing list