CVE-2019-1010238

Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is: The heap based buffer overflow can be used to get code execution. The component is: function name: pango_log2vis_get_embedding_levels, assignment of nchars and the loop condition. The attack vector is: Bug can be used when application pass invalid utf-8 strings to functions like pango_itemize.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
dwfCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 85%
VendorProductVersion
gnomepango
1.42.0 ≤
𝑥
≤ 1.44
oraclesd-wan_edge
7.3
oraclesd-wan_edge
8.0
oraclesd-wan_edge
8.1
oraclesd-wan_edge
8.2
debiandebian_linux
10.0
canonicalubuntu_linux
19.04
redhatopenshift_container_platform
3.11
redhatopenshift_container_platform
4.1
redhatenterprise_linux
8.0
redhatenterprise_linux_desktop
7.0
redhatenterprise_linux_eus
7.4
redhatenterprise_linux_eus
7.6
redhatenterprise_linux_eus
8.1
redhatenterprise_linux_eus
8.2
redhatenterprise_linux_eus
8.4
redhatenterprise_linux_server
7.0
redhatenterprise_linux_server_aus
7.6
redhatenterprise_linux_server_aus
7.7
redhatenterprise_linux_server_aus
8.2
redhatenterprise_linux_server_aus
8.4
redhatenterprise_linux_server_tus
7.6
redhatenterprise_linux_server_tus
7.7
redhatenterprise_linux_server_tus
8.2
redhatenterprise_linux_server_tus
8.4
redhatenterprise_linux_workstation
7.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
pango1.0
bullseye
1.46.2-3
fixed
stretch
not-affected
jessie
not-affected
bookworm
1.50.12+ds-1
fixed
sid
1.54.0+ds-3
fixed
trixie
1.54.0+ds-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
pango1.0
disco
Fixed 1.42.4-6ubuntu0.1
released
bionic
not-affected
xenial
not-affected
trusty
dne
Common Weakness Enumeration
References
https://access.redhat.com/errata/RHBA-2019:2824
https://access.redhat.com/errata/RHSA-2019:2571
https://access.redhat.com/errata/RHSA-2019:2582
https://access.redhat.com/errata/RHSA-2019:2594
https://access.redhat.com/errata/RHSA-2019:3234
https://gitlab.gnome.org/GNOME/pango/-/commits/main/pango/pango-bidi-type.c
https://gitlab.gnome.org/GNOME/pango/-/issues/342
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D6HWAHXJ2ZXINYMANHPFDDCJFWUQ57M4/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VFFF4FY7SCAYT3EKTYPGRN6BVKZTH7Y7/
https://seclists.org/bugtraq/2019/Aug/14
https://security.gentoo.org/glsa/201909-03
https://usn.ubuntu.com/4081-1/
https://www.debian.org/security/2019/dsa-4496
https://www.oracle.com/security-alerts/cpuapr2020.html
https://access.redhat.com/errata/RHBA-2019:2824
https://access.redhat.com/errata/RHSA-2019:2571
https://access.redhat.com/errata/RHSA-2019:2582
https://access.redhat.com/errata/RHSA-2019:2594
https://access.redhat.com/errata/RHSA-2019:3234
https://gitlab.gnome.org/GNOME/pango/-/commits/main/pango/pango-bidi-type.c
https://gitlab.gnome.org/GNOME/pango/-/issues/342
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D6HWAHXJ2ZXINYMANHPFDDCJFWUQ57M4/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VFFF4FY7SCAYT3EKTYPGRN6BVKZTH7Y7/
https://seclists.org/bugtraq/2019/Aug/14
https://security.gentoo.org/glsa/201909-03
https://usn.ubuntu.com/4081-1/
https://www.debian.org/security/2019/dsa-4496
https://www.oracle.com/security-alerts/cpuapr2020.html