Login Sign Up

CVE-2019-1010238

9.8 CRITICAL
Remote Code Execution Buffer Overflow

📋 TL;DR

A heap buffer overflow vulnerability in Pango's text layout engine allows remote code execution when applications process specially crafted UTF-8 strings. This affects GNOME Pango 1.42 and later versions, potentially impacting any application using Pango for text rendering. Attackers can exploit this by passing malformed UTF-8 strings to functions like pango_itemize.

💻 Affected Systems

Products:
  • GNOME Pango
Versions: 1.42 and later
Operating Systems: Linux distributions with GNOME desktop environments
Default Config Vulnerable: ⚠️ Yes
Notes: Applications must use vulnerable Pango functions with untrusted input. Common in text rendering applications and desktop environments.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Enterprise Linux by Redhat

View all CVEs affecting Enterprise Linux →

Enterprise Linux Desktop by Redhat

View all CVEs affecting Enterprise Linux Desktop →

Enterprise Linux Eus by Redhat

View all CVEs affecting Enterprise Linux Eus →

Enterprise Linux Eus by Redhat

View all CVEs affecting Enterprise Linux Eus →

Enterprise Linux Eus by Redhat

View all CVEs affecting Enterprise Linux Eus →

Enterprise Linux Eus by Redhat

View all CVEs affecting Enterprise Linux Eus →

Enterprise Linux Eus by Redhat

View all CVEs affecting Enterprise Linux Eus →

Enterprise Linux Server by Redhat

View all CVEs affecting Enterprise Linux Server →

Enterprise Linux Server Aus by Redhat

View all CVEs affecting Enterprise Linux Server Aus →

Enterprise Linux Server Aus by Redhat

View all CVEs affecting Enterprise Linux Server Aus →

Enterprise Linux Server Aus by Redhat

View all CVEs affecting Enterprise Linux Server Aus →

Enterprise Linux Server Aus by Redhat

View all CVEs affecting Enterprise Linux Server Aus →

Enterprise Linux Server Tus by Redhat

View all CVEs affecting Enterprise Linux Server Tus →

Enterprise Linux Server Tus by Redhat

View all CVEs affecting Enterprise Linux Server Tus →

Enterprise Linux Server Tus by Redhat

View all CVEs affecting Enterprise Linux Server Tus →

Enterprise Linux Server Tus by Redhat

View all CVEs affecting Enterprise Linux Server Tus →

Enterprise Linux Workstation by Redhat

View all CVEs affecting Enterprise Linux Workstation →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Openshift Container Platform by Redhat

View all CVEs affecting Openshift Container Platform →

Openshift Container Platform by Redhat

View all CVEs affecting Openshift Container Platform →

Pango by Gnome

View all CVEs affecting Pango →

Sd Wan Edge by Oracle

View all CVEs affecting Sd Wan Edge →

Sd Wan Edge by Oracle

View all CVEs affecting Sd Wan Edge →

Sd Wan Edge by Oracle

View all CVEs affecting Sd Wan Edge →

Sd Wan Edge by Oracle

View all CVEs affecting Sd Wan Edge →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the application using Pango, potentially leading to complete system compromise.

🟠

Likely Case

Application crash (denial of service) or limited code execution depending on application context and memory protections.

🟢

If Mitigated

Application crash with no code execution if ASLR/DEP/stack canaries are properly implemented and effective.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting specific UTF-8 strings and targeting applications that pass them to vulnerable functions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisories for specific patched versions

Vendor Advisory: https://access.redhat.com/errata/RHSA-2019:2571

Restart Required: Yes

Instructions:

1. Update Pango package using system package manager. 2. Restart affected applications. 3. For Red Hat systems, apply relevant RHSA patches.

🔧 Temporary Workarounds

Input validation

all

Validate and sanitize UTF-8 strings before passing to Pango functions

Memory protection hardening

linux

Enable ASLR, DEP, and other memory protection mechanisms

sysctl -w kernel.randomize_va_space=2

🧯 If You Can't Patch

  • Restrict network access to applications using Pango
  • Implement application whitelisting to prevent unauthorized execution

🔍 How to Verify

Check if Vulnerable:

Check Pango version: pkg-config --modversion pango

Check Version:

pkg-config --modversion pango

Verify Fix Applied:

Verify installed Pango version is patched per vendor advisory

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with segmentation faults in Pango functions
  • Memory corruption warnings in system logs

Network Indicators:

  • Unusual network connections from applications using Pango

SIEM Query:

source="application_logs" AND ("segmentation fault" OR "buffer overflow") AND process="*pango*"

📊 Metadata

CVE ID: CVE-2019-1010238
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: July 19, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-1010238, you might also want to check these:

CVE-2019-5684 10.0

This vulnerability in NVIDIA Windows GPU Display Drivers allows specially crafted DirectX shaders to...

Same vulnerability type (CWE-787)
CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2019-5049 10.0

This vulnerability allows an attacker to execute arbitrary code on systems with vulnerable AMD graph...

Same vulnerability type (CWE-787)