CVE-2011-3193

NameCVE-2011-3193
DescriptionHeap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-117-1
Debian Bugs641738

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pango1.0 (PTS)bullseye1.46.2-3fixed
bookworm1.50.12+ds-1fixed
sid, trixie1.56.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pango1.0source(unstable)1.28.3-1
qt4-x11sourcesqueeze4:4.6.3-4+squeeze2DLA-117-1
qt4-x11source(unstable)4:4.7.4-1641738

Notes

affected code in pango1.0 removed earlier, but this is the version checked (lenny is affected)
Search for package or bug name: Reporting problems