Fluid Attacks Database

Description

Integer overflow in the pango_glyph_string_set_size function in pango/glyphstring.c in Pango before 1.24 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long glyph string that triggers a heap-based buffer overflow, as demonstrated by a long document.location value in Firefox.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	pango1.0	>=0 <1.24.0-2	1.24.0-2
debian 12	pango1.0	>=0 <1.24.0-2	1.24.0-2
debian 13	pango1.0	>=0 <1.24.0-2	1.24.0-2
debian 14	pango1.0	>=0 <1.24.0-2	1.24.0-2
rpm rhel5	pango	<0:1.14.9-5.el5_3	0:1.14.9-5.el5_3

Aliases

1. CVE-2009-11942. NVD-2009-11943. OSV-DEBIAN-2009-11944. OSV-2009-11945. SECURITY-TRACKER-CVE-2009-1194

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.