#VU19591 Buffer overflow in Pango


Published: 2019-07-31 | Updated: 2022-02-10

Vulnerability identifier: #VU19591

Vulnerability risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-1010238

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Pango
Universal components / Libraries / Libraries used by multiple products

Vendor: Gnome Development Team

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing utf-8 strings in the pango_log2vis_get_embedding_levels() function in pango-bidi-type.c. A remote attacker can pass a specially crafted string to the application, trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Pango: 1.42.0 - 1.42.4

External links
http://gitlab.gnome.org/GNOME/pango/blob/master/pango/pango-bidi-type.c

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Oracle SD-WAN Edge
Red Hat update for pango
Gentoo update for Pango
Red Hat update for pango
Red Hat update for pango
Buffer overflow in pango (Alpine package)
Debian update for pango1.0
Ubuntu update for Pango
Remote code execution in Pango