Bug 660161 - Embeds vulnerable version of gd prone to many CVEs
Summary: Embeds vulnerable version of gd prone to many CVEs
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: libwmf
Version: 14
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: ---
Assignee: Caolan McNamara
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-05 22:56 UTC by Silvio Cesare
Modified: 2011-01-04 20:59 UTC (History)
4 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2011-01-04 20:57:02 UTC


Attachments (Terms of Use)

Description Silvio Cesare 2010-12-05 22:56:48 UTC
Description of problem:

libwmf embeds an old version of gd (2.0.1beta) which has a number of vulnerabilities associated with it.

CVE-2007-0455 CVE-2007-3472 CVE-2007-3473 CVE-2007-3474 CVE-2007-3475 CVE-2007-3476 CVE-2007-3477 CVE-2007-3478

Cursory inspection of one of the patch diffs shows that no patches have been applied to libwmf.

Version-Release number of selected component (if applicable):

Name: libwmf
Version: 0.2.8.4
Release: 26.fc14

Additional info:

Ideally, the system wide gd library could be used instead of the embedded copy. This would prevent future issues like this from happening.

Comment 1 Caolan McNamara 2010-12-06 10:18:06 UTC
The reason libgd was ever embedded because the original version back then didn't have a clipping mechanism. The new one does, but I'm not sure that its compatible with what libwmf needs.

Comment 2 Caolan McNamara 2010-12-06 15:24:49 UTC
Yeah, needs a custom clipper to emulate the wmf clipping mechanism.

Went through the full CVE,CAN list etc. and applied everything that's relevant. The GIF ones and threading ones aren't relevant to the embedded copy. A lot are fairly minor denial of service things, but bunged everything in

Comment 6 Vincent Danen 2010-12-06 21:32:48 UTC
Looking at this closer, I don't think libwmf in current Fedora and RHEL6 use the embedded gd.

Looking at the spec, there are requires on gd-devel for libwmf-devel, and a BuildRequires on gd-devel.

Using my rpm query tool, searching for the _gdGetColors symbol, the only thing in Fedora that show it are gd and plt-scheme; libwmf doesn't come up at all.  It does, however, come up for RHEL4 and 5 (that would be indicative of being vulnerable to CVE-2009-3546).

Oddly enough, I see no requires on libgd for libwmf either.

Are you sure that libwmf is using the embedded gd in Fedora?  Or am I missing something?

Comment 7 Caolan McNamara 2010-12-07 09:04:28 UTC
I imagine that the gd-devel requires are bogus. Its definitely linking against the embedded one.

Searching for an *exported*_gdGetColors symbol from libwmf doesn't mean anything because at some stage I changed the visibility of symbols of the embedded gd to be local and not exported out of libwmf.

Comment 8 Vincent Danen 2010-12-16 17:52:31 UTC
Ok, great, thanks.  That clarifies things.  Will note RHEL6 as affected also.  This is pretty low impact, so we don't plan on scheduling fixes for these right now (in RHEL).

Comment 9 Tomas Hoger 2010-12-16 19:37:39 UTC
Has anyone had a closer look which of the obvious non-issues may be less obvious non-issues in libwmf context?

Comment 10 Fedora Update System 2010-12-17 08:17:05 UTC
libwmf-0.2.8.4-22.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/libwmf-0.2.8.4-22.fc13

Comment 11 Fedora Update System 2010-12-17 08:17:07 UTC
libwmf-0.2.8.4-27.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/libwmf-0.2.8.4-27.fc14

Comment 12 Fedora Update System 2010-12-17 20:26:15 UTC
libwmf-0.2.8.4-22.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update libwmf'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/libwmf-0.2.8.4-22.fc13

Comment 13 Fedora Update System 2011-01-04 20:56:57 UTC
libwmf-0.2.8.4-27.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2011-01-04 20:59:19 UTC
libwmf-0.2.8.4-22.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.