📦

pango

Vendor: pango

Actively Exploited 0 CISA KEV List

PoC / Exploits 2 Code Available

Total RCEs 2 Remote Access

Total CVEs 3 Total Indexed

Avg. EPSS 5.77% Exploit Prob.

Latest CVE CVE-2019-1010238 Jul 19

Security Vulnerability Index

Page 1 / 1

9.8 CVSS

CVE-2019-1010238

RCE

Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is: The heap based buffer overflow can be used to get code execution. The component is: function name: pango_log2vis_get_embedding_levels, assignment of nchars and the loop condition. The attack vector is: Bug can be used when application pass invalid utf-8 strings to functions like pango_itemize.

EPSS: 9.77%

Severity: CRITICAL

Jul 19, 2019

6.5 CVSS

CVE-2018-15120

Exploit Found

libpango in Pango 1.40.8 through 1.42.3, as used in hexchat and other products, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted text with invalid Unicode sequences.

EPSS: 5.61%

Severity: MEDIUM

Aug 24, 2018

9.3 CVSS

CVE-2011-3193

Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.

EPSS: 9.73%

Severity: HIGH

Jun 16, 2012

6.8 CVSS

CVE-2011-0064

The hb_buffer_ensure function in hb-buffer.c in HarfBuzz, as used in Pango 1.28.3, Firefox, and other products, does not verify that memory reallocations succeed, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via crafted OpenType font data that triggers use of an incorrect index.

EPSS: 3.09%

Severity: MEDIUM

Mar 07, 2011

7.6 CVSS

CVE-2011-0020

Exploit Found

Heap-based buffer overflow in the pango_ft2_font_render_box_glyph function in pango/pangoft2-render.c in libpango in Pango 1.28.3 and earlier, when the FreeType2 backend is enabled, allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file, related to the glyph box for an FT_Bitmap object.

EPSS: 5.69%

Severity: HIGH

Jan 24, 2011

4.3 CVSS

CVE-2010-0421

Array index error in the hb_ot_layout_build_glyph_classes function in pango/opentype/hb-ot-layout.cc in Pango before 1.27.1 allows context-dependent attackers to cause a denial of service (application crash) via a crafted font file, related to building a synthetic Glyph Definition (aka GDEF) table by using this font's charmap and the Unicode property database.

EPSS: 1.66%

Severity: MEDIUM

Mar 18, 2010

6.8 CVSS

CVE-2009-1194

RCE

Integer overflow in the pango_glyph_string_set_size function in pango/glyphstring.c in Pango before 1.24 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long glyph string that triggers a heap-based buffer overflow, as demonstrated by a long document.location value in Firefox.

EPSS: 4.85%

Severity: MEDIUM

May 11, 2009

Displaying 7 of 3 Total Entries

Total 1 Sections