Date: Wed, 6 May 2009 00:52:42 +0400 (MSD) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/134246: [patch] [vuxml] graphics/libwmf: document and fix two remote code execution vulnerabilities Message-ID: <20090505205242.0DBB617593@amnesiac.at.no.dns> Resent-Message-ID: <200905052110.n45LA3Ut089025@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 134246 >Category: ports >Synopsis: [patch] [vuxml] graphics/libwmf: document and fix two remote code execution vulnerabilities >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue May 05 21:10:03 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 8.0-CURRENT amd64 >Organization: Code Labs >Environment: System: FreeBSD 8.0-CURRENT amd64 >Description: Two vulnerabilities (at least) are present in the current FreeBSD's port graphics/libwmf: [1], [2]. >How-To-Repeat: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1364 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3376 >Fix: The following patch fixes both vulnerabilites in the FreeBSD port: --- libwmf.diff begins here --- >From 1ac505a89ecb6276374b1c39dc52579368fb97b0 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Wed, 6 May 2009 00:37:31 +0400 Patches were taken from Ubuntu's builds of libwmf, http://security.ubuntu.com/ubuntu/pool/main/libw/libwmf/libwmf_0.2.8.3-3.1ubuntu0.2.diff.gz Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- graphics/libwmf/Makefile | 2 +- graphics/libwmf/files/patch-cve-2006-3376 | 30 +++++++++++++++++++++++++++++ graphics/libwmf/files/patch-cve-2009-1364 | 14 +++++++++++++ 3 files changed, 45 insertions(+), 1 deletions(-) create mode 100644 graphics/libwmf/files/patch-cve-2006-3376 create mode 100644 graphics/libwmf/files/patch-cve-2009-1364 diff --git a/graphics/libwmf/Makefile b/graphics/libwmf/Makefile index 16f6774..3be48d0 100644 --- a/graphics/libwmf/Makefile +++ b/graphics/libwmf/Makefile @@ -7,7 +7,7 @@ PORTNAME= libwmf PORTVERSION= 0.2.8.4 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= graphics MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= wvware diff --git a/graphics/libwmf/files/patch-cve-2006-3376 b/graphics/libwmf/files/patch-cve-2006-3376 new file mode 100644 index 0000000..75c0b90 --- /dev/null +++ b/graphics/libwmf/files/patch-cve-2006-3376 @@ -0,0 +1,30 @@ +Fix for CVE-2006-3376. + +Obtained from: Ubuntu +--- src/player.c ++++ src/player.c +@@ -23,6 +23,7 @@ + + #include <stdio.h> + #include <stdlib.h> ++#include <stdint.h> + #include <string.h> + #include <math.h> + +@@ -132,8 +133,14 @@ + } + } + +-/* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char)); +- */ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); ++ if (MAX_REC_SIZE(API) > UINT32_MAX / 2) ++ { ++ API->err = wmf_E_InsMem; ++ WMF_DEBUG (API,"bailing..."); ++ return (API->err); ++ } ++ ++ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); + + if (ERR (API)) + { WMF_DEBUG (API,"bailing..."); diff --git a/graphics/libwmf/files/patch-cve-2009-1364 b/graphics/libwmf/files/patch-cve-2009-1364 new file mode 100644 index 0000000..dfce754 --- /dev/null +++ b/graphics/libwmf/files/patch-cve-2009-1364 @@ -0,0 +1,14 @@ +Patch for CVE-2009-1364 + +Obtained from: Ubuntu + +--- src/extra/gd/gd_clip.c ++++ src/extra/gd/gd_clip.c +@@ -70,6 +70,7 @@ + { more = gdRealloc (im->clip->list,(im->clip->max + 8) * sizeof (gdClipRectangle)); + if (more == 0) return; + im->clip->max += 8; ++ im->clip->list = more; + } + im->clip->list[im->clip->count] = (*rect); + im->clip->count++; -- 1.6.2.5 --- libwmf.diff ends here --- The following VuXML entries should be evaluated and added: --- vuln-1.xml begins here --- <vuln vid="8dba4ad9-39b3-11de-a493-001b77d09812"> <topic>libwmf -- Denial of Service and possible remote code execution</topic> <affects> <package> <name>libwmf</name> <range><lt>0.2.8.4_3</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>SecurityFocus reports:</p> <blockquote cite="http://www.securityfocus.com/bid/34792/discuss">; <p>The 'libwmf' library is prone to a buffer-overflow vulnerability because the vector graphics linked library improperly allocates memory when parsing WMF image files.</p> <p>Successfully exploiting this issue would allow an attacker to corrupt memory and execute arbitrary code in the context of the currently logged-in user.</p> </blockquote> </body> </description> <references> <cvename></cvename> <bid>34792</bid> <url>http://secunia.com/advisories/34901/</url>; </references> <dates> <discovery>2009-05-05</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln-1.xml ends here --- --- vuln-2.xml begins here --- <vuln vid="ad1cca02-39b2-11de-a493-001b77d09812"> <topic>libwmf -- heap overflow and arbitrary code execution</topic> <affects> <package> <name>libwmf</name> <range><lt>0.2.8.4_3</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>Secunia reports:</p> <blockquote cite="http://secunia.com/advisories/20921">; <p>infamous41md has reported a vulnerability in libwmf, which potentially can be exploited by malicious people to compromise an application using the vulnerable library.</p> <p>The vulnerability is caused due to an integer overflow error when allocating memory based on a value taken directly from a WMF file without performing any checks. This can be exploited to cause a heap-based buffer overflow when a specially crafted WMF file is processed.</p> <p>Successful exploitation may allow execution of arbitrary code.</p> </blockquote> <p>SecurityFocus additionally reports:</p> <blockquote cite="http://www.securityfocus.com/bid/18751/discuss">; <p>Failed exploit attempts will likely cause denial-of-service conditions.</p> </blockquote> </body> </description> <references> <cvename>CVE-2006-3376</cvename> <bid>18751</bid> <url>http://secunia.com/advisories/20921</url>; </references> <dates> <discovery>2006-08-10</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln-2.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090505205242.0DBB617593>