Red Hat Bugzilla – Bug 660161
Embeds vulnerable version of gd prone to many CVEs
Last modified: 2011-01-04 15:59:25 EST
Description of problem:
libwmf embeds an old version of gd (2.0.1beta) which has a number of vulnerabilities associated with it.
CVE-2007-0455 CVE-2007-3472 CVE-2007-3473 CVE-2007-3474 CVE-2007-3475 CVE-2007-3476 CVE-2007-3477 CVE-2007-3478
Cursory inspection of one of the patch diffs shows that no patches have been applied to libwmf.
Version-Release number of selected component (if applicable):
Ideally, the system wide gd library could be used instead of the embedded copy. This would prevent future issues like this from happening.
The reason libgd was ever embedded because the original version back then didn't have a clipping mechanism. The new one does, but I'm not sure that its compatible with what libwmf needs.
Yeah, needs a custom clipper to emulate the wmf clipping mechanism.
Went through the full CVE,CAN list etc. and applied everything that's relevant. The GIF ones and threading ones aren't relevant to the embedded copy. A lot are fairly minor denial of service things, but bunged everything in
Looking at this closer, I don't think libwmf in current Fedora and RHEL6 use the embedded gd.
Looking at the spec, there are requires on gd-devel for libwmf-devel, and a BuildRequires on gd-devel.
Using my rpm query tool, searching for the _gdGetColors symbol, the only thing in Fedora that show it are gd and plt-scheme; libwmf doesn't come up at all. It does, however, come up for RHEL4 and 5 (that would be indicative of being vulnerable to CVE-2009-3546).
Oddly enough, I see no requires on libgd for libwmf either.
Are you sure that libwmf is using the embedded gd in Fedora? Or am I missing something?
I imagine that the gd-devel requires are bogus. Its definitely linking against the embedded one.
Searching for an *exported*_gdGetColors symbol from libwmf doesn't mean anything because at some stage I changed the visibility of symbols of the embedded gd to be local and not exported out of libwmf.
Ok, great, thanks. That clarifies things. Will note RHEL6 as affected also. This is pretty low impact, so we don't plan on scheduling fixes for these right now (in RHEL).
Has anyone had a closer look which of the obvious non-issues may be less obvious non-issues in libwmf context?
libwmf-0.2.8.4-22.fc13 has been submitted as an update for Fedora 13.
libwmf-0.2.8.4-27.fc14 has been submitted as an update for Fedora 14.
libwmf-0.2.8.4-22.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
su -c 'yum --enablerepo=updates-testing update libwmf'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/libwmf-0.2.8.4-22.fc13
libwmf-0.2.8.4-27.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
libwmf-0.2.8.4-22.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.