This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 462639 - (CVE-2008-2237) CVE-2008-2237 WMF integer overflow
CVE-2008-2237 WMF integer overflow
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 462642 462643 462644 462645 462719 462720 462721
  Show dependency treegraph
Reported: 2008-09-17 14:50 EDT by Josh Bressers
Modified: 2016-03-04 06:34 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-11-06 05:59:38 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:

Attachments (Terms of Use)
upstream's patch (original horrific patch format) (1.17 KB, patch)
2008-09-17 17:58 EDT, Caolan McNamara
no flags Details | Diff
better patch format (1.98 KB, patch)
2008-09-18 03:30 EDT, Caolan McNamara
no flags Details | Diff

  None (edit)
Description Josh Bressers 2008-09-17 14:50:07 EDT
The SureRun Security team reported an integer overflow in's Windows Metafile (WMF) parser.

To quote the advisory from SureRun:
    The vulnerability exists within the code responsible for parsing the
    META_ESCAPE record in an WMF file. This code reads in two 32-bit
    integers from the file, and then uses them in an arithmetic operation
    that calculates the number of bytes to allocate for a dynamic buffer.
    This calculation can overflow, resulting in an insufficiently sized
    buffer being allocated. Subsequently, this buffer is overflowed with
    data from the file.
Comment 2 Josh Bressers 2008-09-17 15:00:31 EDT

Do you have the upstream patch for this one?

Comment 4 Josh Bressers 2008-09-17 15:04:00 EDT
It looks like the 2.0.x branch and below do not support WMF files, hence they should not be affected by this flaw.

It appears to have been added in 2.1.x somewhere.
Comment 6 Caolan McNamara 2008-09-17 17:58:36 EDT
Created attachment 317014 [details]
upstream's patch (original horrific patch format)

I'm not sure that 1.1.X and any particular 2.X.Y are unaffected ? looks like pretty much the same code as current.
Comment 7 Josh Bressers 2008-09-17 20:45:10 EDT
I'm inclined to believe you if you say it affects 1.1.x and 2.x.y.  I couldn't get them to open the WMF format.
Comment 8 Caolan McNamara 2008-09-18 03:30:52 EDT
Created attachment 317041 [details]
better patch format

Insert Picture->From File might have some success in handling a .wmf file on earlier versions
Comment 9 Josh Bressers 2008-09-18 10:44:39 EDT
So it does.  I'll file bugs for the various other versions of OOo we have.

Comment 11 Tomas Hoger 2008-10-29 06:45:04 EDT
Public now via:

Fixed upstream in 2.4.2.
Comment 12 Fedora Update System 2008-10-30 04:39:17 EDT has been submitted as an update for Fedora 8.
Comment 13 Fedora Update System 2008-10-30 04:49:33 EDT has been submitted as an update for Fedora 9.
Comment 14 Fedora Update System 2008-10-31 06:23:40 EDT has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2008-10-31 06:27:05 EDT has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.