Bug 1142332 - (CVE-2019-1010238) VUL-0: CVE-2019-1010238: pango: heap based buffer overflow in pango_log2vis_get_embedding_levels can lead to code execution
(CVE-2019-1010238)
VUL-0: CVE-2019-1010238: pango: heap based buffer overflow in pango_log2vis_...
Status: REOPENED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P3 - Medium : Normal (vote)
: Current
Assigned To: Security Team bot
E-mail List
https://smash.suse.de/issue/237744/
CVSSv3:SUSE:CVE-2019-1010238:7.8:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-07-22 09:56 UTC by Wolfgang Frisch
Modified: 2022-10-19 04:05 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2019-07-22 09:56:01 UTC
CVE-2019-1010238

Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is: The
heap based buffer overflow can be used to get code execution. The component is:
function name: pango_log2vis_get_embedding_levels, assignment of nchars and the
loop condition. The attack vector is: Bug can be used when application pass
invalid utf-8 strings to functions like pango_itemize.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010238
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010238
https://gitlab.gnome.org/GNOME/pango/blob/master/pango/pango-bidi-type.c
Comment 4 Cliff Zhao 2019-12-05 04:09:37 UTC
Hi Wolfgang:

Current tumbleweed has already delivered the modification inside this patch. the openSUSE:Factory doesn't need to fix at all.
Comment 5 Jia Zhaocong 2022-10-19 04:05:28 UTC
Cleaning up GNOME CVE backlog. Assign back to security team according to comment.