Bugzilla – Bug 1142332
VUL-0: CVE-2019-1010238: pango: heap based buffer overflow in pango_log2vis_get_embedding_levels can lead to code execution
Last modified: 2022-10-19 04:05:28 UTC
CVE-2019-1010238 Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is: The heap based buffer overflow can be used to get code execution. The component is: function name: pango_log2vis_get_embedding_levels, assignment of nchars and the loop condition. The attack vector is: Bug can be used when application pass invalid utf-8 strings to functions like pango_itemize. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010238 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010238 https://gitlab.gnome.org/GNOME/pango/blob/master/pango/pango-bidi-type.c
Hi Wolfgang: Current tumbleweed has already delivered the modification inside this patch. the openSUSE:Factory doesn't need to fix at all.
Cleaning up GNOME CVE backlog. Assign back to security team according to comment.