USN-1082-1: Pango vulnerabilities

Releases

• Ubuntu 10.10
• Ubuntu 10.04
• Ubuntu 9.10
• Ubuntu 8.04

Packages

• pango1.0 -

Details

Marc Schoenefeld discovered that Pango incorrectly handled certain Glyph
Definition (GDEF) tables. If a user were tricked into displaying text with
a specially-crafted font, an attacker could cause Pango to crash, resulting
in a denial of service. This issue only affected Ubuntu 8.04 LTS and 9.10.
(CVE-2010-0421)

Dan Rosenberg discovered that Pango incorrectly handled certain FT_Bitmap
objects. If a user were tricked into displaying text with a specially-
crafted font, an attacker could cause a denial of service or execute
arbitrary code with privileges of the user invoking the program. The
default compiler options for affected releases should reduce the
vulnerability to a denial of service. (CVE-2011-0020)

It was discovered that Pango incorrectly handled certain memory
reallocation failures. If a user were tricked into displaying text in a way
that would cause a reallocation failure, an attacker could cause a denial
of service or execute arbitrary code with privileges of the user invoking
the program. This issue only affected Ubuntu 9.10, 10.04 LTS and 10.10.
(CVE-2011-0064)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 9.10

• libpango1.0-0 - 1.26.0-1ubuntu0.1

Ubuntu 8.04

• libpango1.0-0 - 1.20.5-0ubuntu1.2

Ubuntu 10.10

• gir1.0-pango-1.0 - 1.28.2-0ubuntu1.1

Ubuntu 10.04

• gir1.0-pango-1.0 - 1.28.0-0ubuntu2.2

After a standard system update you need to restart your session to make
all the necessary changes.

References

• CVE-2010-0421
• CVE-2011-0064
• CVE-2011-0020