Google Chrome/ChromeOS bug – 189250
    [189250] High CVE-2013-0927: Unsafe config option loading in Pango. Credit to Pinkie Pie.

The changes are in ChromeOS’s x11-libs/Pango library.

You can read the vulnerable code in this location:

static void
read_config (void)
  if (!config_hash)
      char *filename;
      const char *home;
      const char *envvar;

      config_hash = g_hash_table_new_full (g_str_hash, g_str_equal,
      filename = g_build_filename (pango_get_sysconf_subdirectory (),
      read_config_file (filename, FALSE);
      g_free (filename);

      home = g_get_home_dir ();
      if (home && *home)
      filename = g_build_filename (home, “.pangorc”, NULL);
      read_config_file (filename, FALSE);
      g_free (filename);

      envvar = g_getenv (“PANGO_RC_FILE”);
      if (envvar)
    read_config_file (envvar, TRUE);
Pango reads the configuration from three different places. From the /etc/pango folder,
user’s home folder and from the environment variable PANGO_RC_FILE.

If you like to know how ChromeOS security is implemented, you can read this
blog (

Most of the folders are user specific and is mapped when the user logged in.The problem with this code is, library part of X11 reads a configuration file from the user’s home folder that is shared by all users who use that particular Netbook.

The attack has to follow the particular process:
1. User creates a shared library module under /home/chronos/maliciousmodule/
2. Creates a /home/chronos/.pangorc with this content.
     # pangorc file for uninstalled operation. If pango-viewer is run with
     # this file in the current directory it will set it as PANGO_RC_FILE

     ModuleFiles = ./maliciousmodule

Now, this will be loaded in all the X11 process. You can sniff/manipulate
other users data now.

Cr-48 resets the data during reboot if it finds the particular folder is modified. The problem is, Cr-48 does not do that for the /home/chronos folder.

So the fix is, disable the processing of configuration files in the home folder and in PANGO_RC_FILE.

This entry was posted in Chrome, chrome OS, Google and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s