Bug 660161
| Summary: | Embeds vulnerable version of gd prone to many CVEs | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Silvio Cesare <silvio.cesare> |
| Component: | libwmf | Assignee: | Caolan McNamara <caolanm> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 14 | CC: | security-response-team, silvio.cesare, thoger, vdanen |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | libwmf-0.2.8.4-22.fc13 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-01-04 20:57:02 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Silvio Cesare
2010-12-05 22:56:48 UTC
The reason libgd was ever embedded because the original version back then didn't have a clipping mechanism. The new one does, but I'm not sure that its compatible with what libwmf needs. Yeah, needs a custom clipper to emulate the wmf clipping mechanism. Went through the full CVE,CAN list etc. and applied everything that's relevant. The GIF ones and threading ones aren't relevant to the embedded copy. A lot are fairly minor denial of service things, but bunged everything in Looking at this closer, I don't think libwmf in current Fedora and RHEL6 use the embedded gd. Looking at the spec, there are requires on gd-devel for libwmf-devel, and a BuildRequires on gd-devel. Using my rpm query tool, searching for the _gdGetColors symbol, the only thing in Fedora that show it are gd and plt-scheme; libwmf doesn't come up at all. It does, however, come up for RHEL4 and 5 (that would be indicative of being vulnerable to CVE-2009-3546). Oddly enough, I see no requires on libgd for libwmf either. Are you sure that libwmf is using the embedded gd in Fedora? Or am I missing something? I imagine that the gd-devel requires are bogus. Its definitely linking against the embedded one. Searching for an *exported*_gdGetColors symbol from libwmf doesn't mean anything because at some stage I changed the visibility of symbols of the embedded gd to be local and not exported out of libwmf. Ok, great, thanks. That clarifies things. Will note RHEL6 as affected also. This is pretty low impact, so we don't plan on scheduling fixes for these right now (in RHEL). Has anyone had a closer look which of the obvious non-issues may be less obvious non-issues in libwmf context? libwmf-0.2.8.4-22.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/libwmf-0.2.8.4-22.fc13 libwmf-0.2.8.4-27.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/libwmf-0.2.8.4-27.fc14 libwmf-0.2.8.4-22.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update libwmf'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/libwmf-0.2.8.4-22.fc13 libwmf-0.2.8.4-27.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. libwmf-0.2.8.4-22.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. |