Veracode Vulnerability DatabaseVERACODE:24623Arbitrary Code Execution
7.6 High
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:H/Au:N/C:C/I:C/A:C
pango is vulnerable to arbitrary code execution. The vulnerability exists as an input sanitization flaw, leading to a heap-based buffer overflow, was found in the way Pango displayed font files when using the FreeType font engine back end. If a user loaded a malformed font file with an application that uses Pango, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application.
References
lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html
openwall.com/lists/oss-security/2011/01/18/6
openwall.com/lists/oss-security/2011/01/20/2
osvdb.org/70596
secunia.com/advisories/42934
secunia.com/advisories/43100
www.redhat.com/support/errata/RHSA-2011-0180.html
www.securityfocus.com/bid/45842
www.securitytracker.com/id?1024994
www.vupen.com/english/advisories/2011/0186
www.vupen.com/english/advisories/2011/0238
access.redhat.com/errata/RHSA-2011:0180
access.redhat.com/security/cve/CVE-2011-0020
access.redhat.com/security/updates/classification/#moderate
bugs.launchpad.net/ubuntu/+source/pango1.0/+bug/696616
bugzilla.gnome.org/show_bug.cgi?id=639882
bugzilla.redhat.com/show_bug.cgi?id=671122
exchange.xforce.ibmcloud.com/vulnerabilities/64832
Related
7.6 High
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:H/Au:N/C:C/I:C/A:C