Fluid Attacks Database

Description

Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	pango1.0	>=0 <1.28.3-1	1.28.3-1
debian 12	pango1.0	>=0 <1.28.3-1	1.28.3-1
debian 13	pango1.0	>=0 <1.28.3-1	1.28.3-1
debian 14	pango1.0	>=0 <1.28.3-1	1.28.3-1
rpm rhel5	pango	<0:1.14.9-8.el5_7.3	0:1.14.9-8.el5_7.3
rpm rhel6	qt	<1:4.6.2-20.el6	1:4.6.2-20.el6
rpm rhel5	qt4	<0:4.2.1-1.el5_7.1	0:4.2.1-1.el5_7.1

Aliases

1. CVE-2011-31932. NVD-2011-31933. OSV-DEBIAN-2011-31934. OSV-2011-31935. SECURITY-TRACKER-CVE-2011-3193

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.