Bug 496864 - (CVE-2009-1364) CVE-2009-1364 libwmf: embedded gd use-after-free error
CVE-2009-1364 libwmf: embedded gd use-after-free error
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
source=vendorsec,reported=20090416,pu...
: Security
Depends On: 497509 497510 497511 497512 502584 833933
Blocks:
  Show dependency treegraph
 
Reported: 2009-04-21 09:58 EDT by Tomas Hoger
Modified: 2017-02-01 11:37 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-05-27 15:20:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2009-04-21 09:58:28 EDT
Tavis Ormandy reported a use-after-free error affecing liwmf library.  Flaw
exists in gdClipSetAdd in src/extra/gd/gd_clip.c.

 69         if (im->clip->count == im->clip->max)
 70         {       more = gdRealloc (im->clip->list,(im->clip->max + 8) *
sizeof (gdClipRectangle));
 71                 if (more == 0) return;
 72                 im->clip->max += 8;
 73         }

more returned by gdRealloc (wrapper around standard realloc) is not assigned to
im->clip->list as it should, im->clip->list may point to memory no longer used
or allocated to something else.

Acknowledgements:

Red Hat would like to thank Tavis Ormandy of the Google Security Team for
responsibly reporting this flaw.
Comment 2 Tomas Hoger 2009-04-21 10:21:10 EDT
According to libwmf upstream CVS:
http://wvware.cvs.sourceforge.net/viewvc/wvware/libwmf2/src/extra/gd/gd_clip.c?hideattic=0&view=log

embedded gd has been removed and system gd should be used instead.  While the change has been done in upstream CVS quite some time ago in what seems like a preparation for new major version (0.3), that version has not been released yet.  Latest released version 0.2.8.4 still contains embedded gd.

Though I have not found any other gd version with affected function / source file.  According to readme, libwmf should embed gd 2.0.1 BETA, but the affected code is not in gd 2.0.0 or 2.0.1 (and few other version I've checked, or can be found using google codesearch).

Caolan, you seem to be the original libwmf author, do you possibly remember some details about this?  Is this some libwmf-specific extension of gd?
Comment 12 Jan Lieskovsky 2009-04-30 16:02:42 EDT
Lifting embargo
Comment 13 errata-xmlrpc 2009-04-30 16:42:53 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:0457 https://rhn.redhat.com/errata/RHSA-2009-0457.html
Comment 15 Fedora Update System 2009-05-26 10:07:56 EDT
libwmf-0.2.8.4-18.1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/libwmf-0.2.8.4-18.1.fc9
Comment 16 Fedora Update System 2009-05-26 10:08:02 EDT
libwmf-0.2.8.4-18.1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/libwmf-0.2.8.4-18.1.fc10
Comment 17 Fedora Update System 2009-05-26 10:08:07 EDT
libwmf-0.2.8.4-20.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/libwmf-0.2.8.4-20.fc11
Comment 18 Fedora Update System 2009-05-27 15:03:18 EDT
libwmf-0.2.8.4-20.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2009-05-27 15:03:55 EDT
libwmf-0.2.8.4-18.1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Fedora Update System 2009-05-27 15:04:41 EDT
libwmf-0.2.8.4-18.1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.