Fluid Attacks Database

Description

Heap-based buffer overflow in the pango_ft2_font_render_box_glyph function in pango/pangoft2-render.c in libpango in Pango 1.28.3 and earlier, when the FreeType2 backend is enabled, allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file, related to the glyph box for an FT_Bitmap object.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rpm rhel5	pango	<0:1.14.9-8.el5_6.2	0:1.14.9-8.el5_6.2
rpm rhel6	pango	<0:1.28.1-3.el6_0.3	0:1.28.1-3.el6_0.3
debian 11	pango1.0	>=0 <1.28.3-1+squeeze1	1.28.3-1+squeeze1
debian 12	pango1.0	>=0 <1.28.3-1+squeeze1	1.28.3-1+squeeze1
debian 13	pango1.0	>=0 <1.28.3-1+squeeze1	1.28.3-1+squeeze1
debian 14	pango1.0	>=0 <1.28.3-1+squeeze1	1.28.3-1+squeeze1

Aliases

1. CVE-2011-00202. NVD-2011-00203. OSV-2011-00204. OSV-DEBIAN-2011-00205. SECURITY-TRACKER-CVE-2011-0020

References

1. https://www.exploit-db.com/exploits/35232

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.