#VU14537 Assertion failure in Pango - CVE-2018-15120

Cybersecurity Help s.r.o.

Published: 2018-08-27 | Updated: 2021-06-17

Vulnerability identifier: #VU14537

Vulnerability risk: Low

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2018-15120

CWE-ID: CWE-617

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Pango
Universal components / Libraries / Libraries used by multiple products

Vendor: Gnome Development Team

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to insufficient validation of user-supplied input processed by the pango/pango-emoji.c source code file. A remote attacker can type a series of invalid Unicode characters in the affected application, trigger an assertion failure and cause the application to crash.

Mitigation
Update to version 1.42.4.

Vulnerable software versions

Pango: 0.20 - 1.42.3

External links
https://github.com/GNOME/pango/blob/1.42.4/NEWS
https://github.com/GNOME/pango/commit/71aaeaf020340412b8d012fe23a556c0420eda5f

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Gentoo update for Pango

Assertion failure in pango (Alpine package)

OpenSUSE Linux update for pango

Fedora 27 update for pango

Denial of service in Pango