{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2647?format=json","vulnerability_id":"VCID-q6fy-es7y-uyas","summary":"oCERT security researcher Will Drewry reported a\nseries of heap and integer overflow vulnerabilities which\nindependently affected multiple font glyph rendering libraries.  On\nLinux platforms libpango was susceptible to the vulnerabilities while\non OS X CoreGraphics was similarly vulnerable.  An attacker could\ntrigger these overflows by constructing a very large text run for the\nbrowser to display.  Such an overflow can result in a crash which the\nattacker could potentially use to run arbitrary code on a victim's\ncomputer.The open-source nature of Linux meant that Mozilla was able to work\nwith the libpango maintainers to implement the correct fix\nin version 1.24 of that system library which was distributed with OS\nsecurity updates. On Mac OS X Firefox works around the CoreGraphics\nflaw by limiting the length of text runs passed to the system.","aliases":[{"alias":"CVE-2009-1194"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/6297?format=json","purl":"pkg:deb/debian/pango1.0@1.28.3-1%2Bsqueeze2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/pango1.0@1.28.3-1%252Bsqueeze2"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/6292?format=json","purl":"pkg:deb/debian/pango1.0@1.0.1-3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-q6fy-es7y-uyas"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/pango1.0@1.0.1-3"},{"url":"http://public2.vulnerablecode.io/api/packages/6294?format=json","purl":"pkg:deb/debian/pango1.0@1.14.8-5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-q6fy-es7y-uyas"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/pango1.0@1.14.8-5"},{"url":"http://public2.vulnerablecode.io/api/packages/6295?format=json","purl":"pkg:deb/debian/pango1.0@1.14.8-5%2Betch1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-q6fy-es7y-uyas"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/pango1.0@1.14.8-5%252Betch1"},{"url":"http://public2.vulnerablecode.io/api/packages/6296?format=json","purl":"pkg:deb/debian/pango1.0@1.20.5-6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-q6fy-es7y-uyas"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/pango1.0@1.20.5-6"},{"url":"http://public2.vulnerablecode.io/api/packages/6293?format=json","purl":"pkg:deb/debian/pango1.0@1.8.1-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-q6fy-es7y-uyas"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/pango1.0@1.8.1-1"}],"references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1194","reference_id":"CVE-2009-1194","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1194"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2009-36","reference_id":"mfsa2009-36","reference_type":"","scores":[{"value":"critical","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2009-36"}],"weaknesses":[],"exploits":[],"severity_range_score":"9.0 - 10.0","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q6fy-es7y-uyas"}