Skip to navigation

Security Advisory Moderate: pango security update

Advisory: RHSA-2011:1326-1
Type: Security Advisory
Severity: Moderate
Issued on: 2011-09-21
Last updated on: 2011-09-21
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
CVEs (cve.mitre.org): CVE-2011-3193

Details

Updated pango packages that fix one security issue are now available for
Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Pango is a library used for the layout and rendering of internationalized
text.

A buffer overflow flaw was found in HarfBuzz, an OpenType text shaping
engine used in Pango. If a user loaded a specially-crafted font file with
an application that uses Pango, it could cause the application to crash or,
possibly, execute arbitrary code with the privileges of the user running
the application. (CVE-2011-3193)

Users of pango are advised to upgrade to these updated packages, which
contain a backported patch to resolve this issue. After installing this
update, you must restart your system or restart the X server for the update
to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
pango-1.14.9-8.el5_7.3.src.rpm     MD5: fd7d497b426e5f11740f005a4489942d
SHA-256: ead28ad4ff05a90230af23a561783565b373bcdab2f8b3789fbf0ec98ed06252
 
IA-32:
pango-devel-1.14.9-8.el5_7.3.i386.rpm     MD5: ca3a7e8d64c136eb60faa5daa14dfa24
SHA-256: 7ed357c09639b5197f070c2ae7935b0fb86deef4680102faf4c67db0abc99c65
 
x86_64:
pango-devel-1.14.9-8.el5_7.3.i386.rpm     MD5: ca3a7e8d64c136eb60faa5daa14dfa24
SHA-256: 7ed357c09639b5197f070c2ae7935b0fb86deef4680102faf4c67db0abc99c65
pango-devel-1.14.9-8.el5_7.3.x86_64.rpm     MD5: bc2b23ab8829f2e4216b9d464943b3bf
SHA-256: c9cc5dc25130165e0da31f55723985ca50c1d092641d56baa2229d29f55dd44d
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
pango-1.14.9-8.el5_7.3.src.rpm     MD5: fd7d497b426e5f11740f005a4489942d
SHA-256: ead28ad4ff05a90230af23a561783565b373bcdab2f8b3789fbf0ec98ed06252
 
IA-32:
pango-1.14.9-8.el5_7.3.i386.rpm     MD5: e1f39fdd82b5a90bf62378f9d616f94a
SHA-256: 164c64fd88b4e8e16c90aafefa3bf3bdb7b8b934269a863eefc8b33c032df4e9
pango-devel-1.14.9-8.el5_7.3.i386.rpm     MD5: ca3a7e8d64c136eb60faa5daa14dfa24
SHA-256: 7ed357c09639b5197f070c2ae7935b0fb86deef4680102faf4c67db0abc99c65
 
IA-64:
pango-1.14.9-8.el5_7.3.i386.rpm     MD5: e1f39fdd82b5a90bf62378f9d616f94a
SHA-256: 164c64fd88b4e8e16c90aafefa3bf3bdb7b8b934269a863eefc8b33c032df4e9
pango-1.14.9-8.el5_7.3.ia64.rpm     MD5: bea77996454e7e00988b7e941bbe1376
SHA-256: 6cb539ae2c00d87381eb13999f60ea69876a8f1bf884377d0d24916dbff0aa99
pango-devel-1.14.9-8.el5_7.3.ia64.rpm     MD5: 4da218c687c18724b5a04eccb85fa4c5
SHA-256: a6e878d18b519ff43601ab883fc3b92f1d54e9243e074b154f72719acb3147f0
 
PPC:
pango-1.14.9-8.el5_7.3.ppc.rpm     MD5: 7a1c8e222da772b84cbe1d2f2fb4eeff
SHA-256: 9198b7dc5b0da3fbb8160e0a7c06a33a5d86c1c041302ea5d0503667a76dc4a0
pango-1.14.9-8.el5_7.3.ppc64.rpm     MD5: 9a010be06e2b0041808cd4a7533c0533
SHA-256: 6051d64a0c2e491da02b4d412c38de2b0a08cd4c43197d3990bc1990ab2c76f3
pango-devel-1.14.9-8.el5_7.3.ppc.rpm     MD5: 164a31051feccd0619a350ed559791e7
SHA-256: 67d877e583b891eb8d1d89f1e7843f5b021a1bec4f33329ab921cc2db08d7fb7
pango-devel-1.14.9-8.el5_7.3.ppc64.rpm     MD5: 381f760d5c64b318310847d33ee784b9
SHA-256: 50fa711170b7e4afc629390a004f8430583780191a0a5cb5333dadf1d3a5e4df
 
s390x:
pango-1.14.9-8.el5_7.3.s390.rpm     MD5: c060a55000992142781d4238a9383d6c
SHA-256: 02ab1bd9284b793794684b355bba3cd818bef04ff353e46232b8e59e22535df0
pango-1.14.9-8.el5_7.3.s390x.rpm     MD5: ab4c5b73a9a742647523e4e2d66e4b6a
SHA-256: 266b8942d85e754562793ab10372e5a1470387ff0d67dc353a956dffa6d294b0
pango-devel-1.14.9-8.el5_7.3.s390.rpm     MD5: d7215df94f5c9d7015b05ddd4178fe6c
SHA-256: d8f85567ab3015752ec8f1d716818bdf25ca814bc88d954b520ca7afa2e77fc7
pango-devel-1.14.9-8.el5_7.3.s390x.rpm     MD5: 0dae6877767b4a3b563f96a524e2048f
SHA-256: efb0381be4a1871ba937bc893989da102ad659ea082ab59a1d4b628deea037a1
 
x86_64:
pango-1.14.9-8.el5_7.3.i386.rpm     MD5: e1f39fdd82b5a90bf62378f9d616f94a
SHA-256: 164c64fd88b4e8e16c90aafefa3bf3bdb7b8b934269a863eefc8b33c032df4e9
pango-1.14.9-8.el5_7.3.x86_64.rpm     MD5: cf212cae87a16ad3d2796d78c8215b99
SHA-256: 45cc656e0cba9325e0faaebbd1454b59f1bbba97c8037c6b8b1654b65a021196
pango-devel-1.14.9-8.el5_7.3.i386.rpm     MD5: ca3a7e8d64c136eb60faa5daa14dfa24
SHA-256: 7ed357c09639b5197f070c2ae7935b0fb86deef4680102faf4c67db0abc99c65
pango-devel-1.14.9-8.el5_7.3.x86_64.rpm     MD5: bc2b23ab8829f2e4216b9d464943b3bf
SHA-256: c9cc5dc25130165e0da31f55723985ca50c1d092641d56baa2229d29f55dd44d
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
pango-1.14.9-8.el5_7.3.src.rpm     MD5: fd7d497b426e5f11740f005a4489942d
SHA-256: ead28ad4ff05a90230af23a561783565b373bcdab2f8b3789fbf0ec98ed06252
 
IA-32:
pango-1.14.9-8.el5_7.3.i386.rpm     MD5: e1f39fdd82b5a90bf62378f9d616f94a
SHA-256: 164c64fd88b4e8e16c90aafefa3bf3bdb7b8b934269a863eefc8b33c032df4e9
 
x86_64:
pango-1.14.9-8.el5_7.3.i386.rpm     MD5: e1f39fdd82b5a90bf62378f9d616f94a
SHA-256: 164c64fd88b4e8e16c90aafefa3bf3bdb7b8b934269a863eefc8b33c032df4e9
pango-1.14.9-8.el5_7.3.x86_64.rpm     MD5: cf212cae87a16ad3d2796d78c8215b99
SHA-256: 45cc656e0cba9325e0faaebbd1454b59f1bbba97c8037c6b8b1654b65a021196
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

733118 - CVE-2011-3193 qt/harfbuzz buffer overflow


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/