Red Hat Bugzilla – Bug 198290
CVE-2006-3376 libwmf integer overflow
Last modified: 2007-11-30 17:07:26 EST
libwmf integer overflow
infamous41md discovered an integer overflow bug in libwmf.
There is more information here:
Created attachment 132225 [details]
maybe this will suffice
Created attachment 132312 [details]
I don't have a proper test case, but here's a wmf which has a size field which
will overflow as reported above on a box where size_t is 32. With the fix in
place it shouldn't open on such a system.
built and mkerrata-wrapper dist-4E-errata-candidate libwmf-0.2.8.3-5.2 has been run.
The attached .wmf shouldn't open on 32bit platforms after this change, but
normal .wmf's should
RHSA-2006:0597 in progress.
Created attachment 132425 [details]
maybe a better testcase
Maybe this testcase will trigger better on RHEL-4 ?
Seems to work better, but shows I need another fix for casting on 64bit.
built and mkerrata-wrapper dist-4E-errata-candidate libwmf-0.2.8.3-5.3 has been run.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.