-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVA-2009:158 http://www.mandriva.com/security/ _______________________________________________________________________ Package : pango Date : July 23, 2009 Affected: 2008.1, 2009.0, Corporate 3.0, Corporate 4.0 _______________________________________________________________________ Problem Description: Integer overflow in the pango_glyph_string_set_size function in pango/glyphstring.c in Pango before 1.24 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long glyph string that triggers a heap-based buffer overflow. This update corrects the issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1194 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.1: 8ed2ac52ac18fa8debe4cf0d19e497c7 2008.1/i586/libpango1.0_0-1.20.0-1.1mdv2008.1.i586.rpm 430718c1ceb4b769a64aef5bd95a60b0 2008.1/i586/libpango1.0_0-modules-1.20.0-1.1mdv2008.1.i586.rpm 90e14f60562814605b6884021ae4e8eb 2008.1/i586/libpango1.0-devel-1.20.0-1.1mdv2008.1.i586.rpm 86f789f5f599d31da2dba3f5a4d457eb 2008.1/i586/pango-1.20.0-1.1mdv2008.1.i586.rpm c7f57b7106f2affcfa9833f90a11edfb 2008.1/i586/pango-doc-1.20.0-1.1mdv2008.1.i586.rpm 1f6ea21816580571f4404a5b49b843ea 2008.1/SRPMS/pango-1.20.0-1.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 67b5cc0b18d59f082cf2fbb9a4cf2153 2008.1/x86_64/lib64pango1.0_0-1.20.0-1.1mdv2008.1.x86_64.rpm 3a9e41e784c5807196ea290aa14458c6 2008.1/x86_64/lib64pango1.0_0-modules-1.20.0-1.1mdv2008.1.x86_64.rpm 8a2dbf2550af4653900562b368d84415 2008.1/x86_64/lib64pango1.0-devel-1.20.0-1.1mdv2008.1.x86_64.rpm fc58e14c4df213c0bf693558782216d3 2008.1/x86_64/pango-1.20.0-1.1mdv2008.1.x86_64.rpm 69b9d122c29a07261bf12dd96d34acd5 2008.1/x86_64/pango-doc-1.20.0-1.1mdv2008.1.x86_64.rpm 1f6ea21816580571f4404a5b49b843ea 2008.1/SRPMS/pango-1.20.0-1.1mdv2008.1.src.rpm Mandriva Linux 2009.0: f220768c739dc9cae9f71de3cb43996e 2009.0/i586/libpango1.0_0-1.22.0-1.1mdv2009.0.i586.rpm 013fc29cec91e9b215394d00db29b1e7 2009.0/i586/libpango1.0_0-modules-1.22.0-1.1mdv2009.0.i586.rpm b0bcd8e080aafd56a8e1f79f4fff96fe 2009.0/i586/libpango1.0-devel-1.22.0-1.1mdv2009.0.i586.rpm b5d939dfca4c10eab1c1f9b2fb20f4a1 2009.0/i586/pango-1.22.0-1.1mdv2009.0.i586.rpm d969812c6a1ad44513f0d6b7d65633c5 2009.0/i586/pango-doc-1.22.0-1.1mdv2009.0.i586.rpm 9babd2521bb72bd3db9020ebf3468a23 2009.0/SRPMS/pango-1.22.0-1.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 7b0fe4350cd4eaf9721c5ef651a3a7f7 2009.0/x86_64/lib64pango1.0_0-1.22.0-1.1mdv2009.0.x86_64.rpm 4a4705192e1c5c52b7ad38bd3fe8bdbb 2009.0/x86_64/lib64pango1.0_0-modules-1.22.0-1.1mdv2009.0.x86_64.rpm 09f7b36c23d737eb664b002940759285 2009.0/x86_64/lib64pango1.0-devel-1.22.0-1.1mdv2009.0.x86_64.rpm 770f30616e2b5347cb2fdcfeedc4a9e2 2009.0/x86_64/pango-1.22.0-1.1mdv2009.0.x86_64.rpm e018b02b91e86cfb5dee7956a8cedf73 2009.0/x86_64/pango-doc-1.22.0-1.1mdv2009.0.x86_64.rpm 9babd2521bb72bd3db9020ebf3468a23 2009.0/SRPMS/pango-1.22.0-1.1mdv2009.0.src.rpm Corporate 3.0: fe6b828f9488f85f080869c42d380803 corporate/3.0/i586/libpango1.0_0-1.2.5-3.1.C30mdk.i586.rpm 67cf76c4f817b91e985053093ec0fc8a corporate/3.0/i586/libpango1.0_0-devel-1.2.5-3.1.C30mdk.i586.rpm ef94bdec5331c62a74567633278bce54 corporate/3.0/i586/pango-1.2.5-3.1.C30mdk.i586.rpm 567cb4d9dd07d90ec17f736fcc3acb16 corporate/3.0/SRPMS/pango-1.2.5-3.1.C30mdk.src.rpm Corporate 3.0/X86_64: f0fb3f936e0d42cbb8bf4dd9113d7832 corporate/3.0/x86_64/lib64pango1.0_0-1.2.5-3.1.C30mdk.x86_64.rpm 51004f18ca85021b81671ccd0b0f0e43 corporate/3.0/x86_64/lib64pango1.0_0-devel-1.2.5-3.1.C30mdk.x86_64.rpm bc25d953caf5c64455d6b9f21407eb5c corporate/3.0/x86_64/pango-1.2.5-3.1.C30mdk.x86_64.rpm 567cb4d9dd07d90ec17f736fcc3acb16 corporate/3.0/SRPMS/pango-1.2.5-3.1.C30mdk.src.rpm Corporate 4.0: d05ac0d15b5f6aa0ccae2e9138cbd32a corporate/4.0/i586/libpango1.0_0-1.10.0-3.1.20060mlcs4.i586.rpm ecbc51723ca7d5ca22873589e6540d0e corporate/4.0/i586/libpango1.0_0-devel-1.10.0-3.1.20060mlcs4.i586.rpm 6c95ac70dddcca56dec35ffcbe4adde8 corporate/4.0/i586/libpango1.0_0-modules-1.10.0-3.1.20060mlcs4.i586.rpm 94bb1b067bf1f8b0afb5a019f6f83597 corporate/4.0/i586/pango-1.10.0-3.1.20060mlcs4.i586.rpm 7572845f90416d883d47b3681ccf5451 corporate/4.0/SRPMS/pango-1.10.0-3.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: ab4a921995dd9c8833e78448e7ef43c4 corporate/4.0/x86_64/lib64pango1.0_0-1.10.0-3.1.20060mlcs4.x86_64.rpm dee3544eb5186529e4d4029acd027281 corporate/4.0/x86_64/lib64pango1.0_0-devel-1.10.0-3.1.20060mlcs4.x86_64.rpm f4393cfae3d426fe0338c54ef6efef87 corporate/4.0/x86_64/lib64pango1.0_0-modules-1.10.0-3.1.20060mlcs4.x86_64.rpm d159dc502f3b50ac6d3cbb6445e6bfdb corporate/4.0/x86_64/pango-1.10.0-3.1.20060mlcs4.x86_64.rpm 7572845f90416d883d47b3681ccf5451 corporate/4.0/SRPMS/pango-1.10.0-3.1.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKaNzHmqjQ0CJFipgRAjr/AKCWWtP6sYotwbQucYFZr/KIXUasGQCfbC5Q CIw1m2fY+cFmwVvxR/A1JLk= =3XE/ -----END PGP SIGNATURE-----