Tavis Ormandy reported a use-after-free error affecing liwmf library. Flaw exists in gdClipSetAdd in src/extra/gd/gd_clip.c. 69 if (im->clip->count == im->clip->max) 70 { more = gdRealloc (im->clip->list,(im->clip->max + 8) * sizeof (gdClipRectangle)); 71 if (more == 0) return; 72 im->clip->max += 8; 73 } more returned by gdRealloc (wrapper around standard realloc) is not assigned to im->clip->list as it should, im->clip->list may point to memory no longer used or allocated to something else. Acknowledgements: Red Hat would like to thank Tavis Ormandy of the Google Security Team for responsibly reporting this flaw.
According to libwmf upstream CVS: http://wvware.cvs.sourceforge.net/viewvc/wvware/libwmf2/src/extra/gd/gd_clip.c?hideattic=0&view=log embedded gd has been removed and system gd should be used instead. While the change has been done in upstream CVS quite some time ago in what seems like a preparation for new major version (0.3), that version has not been released yet. Latest released version 0.2.8.4 still contains embedded gd. Though I have not found any other gd version with affected function / source file. According to readme, libwmf should embed gd 2.0.1 BETA, but the affected code is not in gd 2.0.0 or 2.0.1 (and few other version I've checked, or can be found using google codesearch). Caolan, you seem to be the original libwmf author, do you possibly remember some details about this? Is this some libwmf-specific extension of gd?
Lifting embargo
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:0457 https://rhn.redhat.com/errata/RHSA-2009-0457.html
libwmf-0.2.8.4-18.1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/libwmf-0.2.8.4-18.1.fc9
libwmf-0.2.8.4-18.1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/libwmf-0.2.8.4-18.1.fc10
libwmf-0.2.8.4-20.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/libwmf-0.2.8.4-20.fc11
libwmf-0.2.8.4-20.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
libwmf-0.2.8.4-18.1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
libwmf-0.2.8.4-18.1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.