In association with heise online

11 May 2009, 14:45

Vulnerability fixed in Pango rendering library

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

According to oCERT (Open Source Computer Emergency Response Team), an integer overflow in layout and rendering library Pango may allow code injection and execution through an exploit induced, heap overflow. The cause of the problem is an error when calculating the memory to be reserved for glyphs.

According to the report, the bug can be remotely exploited using crafted HTML files to at least crash Firefox. In addition to Firefox, many other applications (especially Linux applications) utilise the Pango library (under Ubuntu 8.10 a list can be viewed using apt-cache rdepends libpango1.0-0).

Official versions of Pango prior to, but not including version 1.24, are affected. The Linux distributors have already released bug fixed packages. The oCERT report also notes that other rendering subsystems contain similar vulnerabilities and should be checked by their developers, however, it does not give any specific details.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit