Bug 496864 (CVE-2009-1364)
| Summary: | CVE-2009-1364 libwmf: embedded gd use-after-free error | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | caolanm, jlieskov, kreilly, mjc, security-response-team, vdanen |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-05-27 19:20:25 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 497509, 497510, 497511, 497512, 502584, 833933 | ||
| Bug Blocks: | |||
According to libwmf upstream CVS: http://wvware.cvs.sourceforge.net/viewvc/wvware/libwmf2/src/extra/gd/gd_clip.c?hideattic=0&view=log embedded gd has been removed and system gd should be used instead. While the change has been done in upstream CVS quite some time ago in what seems like a preparation for new major version (0.3), that version has not been released yet. Latest released version 0.2.8.4 still contains embedded gd. Though I have not found any other gd version with affected function / source file. According to readme, libwmf should embed gd 2.0.1 BETA, but the affected code is not in gd 2.0.0 or 2.0.1 (and few other version I've checked, or can be found using google codesearch). Caolan, you seem to be the original libwmf author, do you possibly remember some details about this? Is this some libwmf-specific extension of gd? Lifting embargo This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:0457 https://rhn.redhat.com/errata/RHSA-2009-0457.html libwmf-0.2.8.4-18.1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/libwmf-0.2.8.4-18.1.fc9 libwmf-0.2.8.4-18.1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/libwmf-0.2.8.4-18.1.fc10 libwmf-0.2.8.4-20.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/libwmf-0.2.8.4-20.fc11 libwmf-0.2.8.4-20.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. libwmf-0.2.8.4-18.1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. libwmf-0.2.8.4-18.1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. |
Tavis Ormandy reported a use-after-free error affecing liwmf library. Flaw exists in gdClipSetAdd in src/extra/gd/gd_clip.c. 69 if (im->clip->count == im->clip->max) 70 { more = gdRealloc (im->clip->list,(im->clip->max + 8) * sizeof (gdClipRectangle)); 71 if (more == 0) return; 72 im->clip->max += 8; 73 } more returned by gdRealloc (wrapper around standard realloc) is not assigned to im->clip->list as it should, im->clip->list may point to memory no longer used or allocated to something else. Acknowledgements: Red Hat would like to thank Tavis Ormandy of the Google Security Team for responsibly reporting this flaw.