Bug 660161 - Embeds vulnerable version of gd prone to many CVEs
Embeds vulnerable version of gd prone to many CVEs
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: libwmf (Show other bugs)
14
Unspecified Unspecified
low Severity medium
: ---
: ---
Assigned To: Caolan McNamara
Fedora Extras Quality Assurance
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-12-05 17:56 EST by Silvio Cesare
Modified: 2011-01-04 15:59 EST (History)
4 users (show)

See Also:
Fixed In Version: libwmf-0.2.8.4-22.fc13
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-01-04 15:57:02 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Silvio Cesare 2010-12-05 17:56:48 EST
Description of problem:

libwmf embeds an old version of gd (2.0.1beta) which has a number of vulnerabilities associated with it.

CVE-2007-0455 CVE-2007-3472 CVE-2007-3473 CVE-2007-3474 CVE-2007-3475 CVE-2007-3476 CVE-2007-3477 CVE-2007-3478

Cursory inspection of one of the patch diffs shows that no patches have been applied to libwmf.

Version-Release number of selected component (if applicable):

Name: libwmf
Version: 0.2.8.4
Release: 26.fc14

Additional info:

Ideally, the system wide gd library could be used instead of the embedded copy. This would prevent future issues like this from happening.
Comment 1 Caolan McNamara 2010-12-06 05:18:06 EST
The reason libgd was ever embedded because the original version back then didn't have a clipping mechanism. The new one does, but I'm not sure that its compatible with what libwmf needs.
Comment 2 Caolan McNamara 2010-12-06 10:24:49 EST
Yeah, needs a custom clipper to emulate the wmf clipping mechanism.

Went through the full CVE,CAN list etc. and applied everything that's relevant. The GIF ones and threading ones aren't relevant to the embedded copy. A lot are fairly minor denial of service things, but bunged everything in
Comment 6 Vincent Danen 2010-12-06 16:32:48 EST
Looking at this closer, I don't think libwmf in current Fedora and RHEL6 use the embedded gd.

Looking at the spec, there are requires on gd-devel for libwmf-devel, and a BuildRequires on gd-devel.

Using my rpm query tool, searching for the _gdGetColors symbol, the only thing in Fedora that show it are gd and plt-scheme; libwmf doesn't come up at all.  It does, however, come up for RHEL4 and 5 (that would be indicative of being vulnerable to CVE-2009-3546).

Oddly enough, I see no requires on libgd for libwmf either.

Are you sure that libwmf is using the embedded gd in Fedora?  Or am I missing something?
Comment 7 Caolan McNamara 2010-12-07 04:04:28 EST
I imagine that the gd-devel requires are bogus. Its definitely linking against the embedded one.

Searching for an *exported*_gdGetColors symbol from libwmf doesn't mean anything because at some stage I changed the visibility of symbols of the embedded gd to be local and not exported out of libwmf.
Comment 8 Vincent Danen 2010-12-16 12:52:31 EST
Ok, great, thanks.  That clarifies things.  Will note RHEL6 as affected also.  This is pretty low impact, so we don't plan on scheduling fixes for these right now (in RHEL).
Comment 9 Tomas Hoger 2010-12-16 14:37:39 EST
Has anyone had a closer look which of the obvious non-issues may be less obvious non-issues in libwmf context?
Comment 10 Fedora Update System 2010-12-17 03:17:05 EST
libwmf-0.2.8.4-22.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/libwmf-0.2.8.4-22.fc13
Comment 11 Fedora Update System 2010-12-17 03:17:07 EST
libwmf-0.2.8.4-27.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/libwmf-0.2.8.4-27.fc14
Comment 12 Fedora Update System 2010-12-17 15:26:15 EST
libwmf-0.2.8.4-22.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update libwmf'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/libwmf-0.2.8.4-22.fc13
Comment 13 Fedora Update System 2011-01-04 15:56:57 EST
libwmf-0.2.8.4-27.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2011-01-04 15:59:19 EST
libwmf-0.2.8.4-22.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.