Bug 496864 (CVE-2009-1364) - CVE-2009-1364 libwmf: embedded gd use-after-free error
Summary: CVE-2009-1364 libwmf: embedded gd use-after-free error
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-1364
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 497509 497510 497511 497512 502584 833933
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-04-21 13:58 UTC by Tomas Hoger
Modified: 2019-09-29 12:30 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-05-27 19:20:25 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:0457 normal SHIPPED_LIVE Moderate: libwmf security update 2009-04-30 20:42:49 UTC

Description Tomas Hoger 2009-04-21 13:58:28 UTC
Tavis Ormandy reported a use-after-free error affecing liwmf library.  Flaw
exists in gdClipSetAdd in src/extra/gd/gd_clip.c.

 69         if (im->clip->count == im->clip->max)
 70         {       more = gdRealloc (im->clip->list,(im->clip->max + 8) *
sizeof (gdClipRectangle));
 71                 if (more == 0) return;
 72                 im->clip->max += 8;
 73         }

more returned by gdRealloc (wrapper around standard realloc) is not assigned to
im->clip->list as it should, im->clip->list may point to memory no longer used
or allocated to something else.

Acknowledgements:

Red Hat would like to thank Tavis Ormandy of the Google Security Team for
responsibly reporting this flaw.

Comment 2 Tomas Hoger 2009-04-21 14:21:10 UTC
According to libwmf upstream CVS:
http://wvware.cvs.sourceforge.net/viewvc/wvware/libwmf2/src/extra/gd/gd_clip.c?hideattic=0&view=log

embedded gd has been removed and system gd should be used instead.  While the change has been done in upstream CVS quite some time ago in what seems like a preparation for new major version (0.3), that version has not been released yet.  Latest released version 0.2.8.4 still contains embedded gd.

Though I have not found any other gd version with affected function / source file.  According to readme, libwmf should embed gd 2.0.1 BETA, but the affected code is not in gd 2.0.0 or 2.0.1 (and few other version I've checked, or can be found using google codesearch).

Caolan, you seem to be the original libwmf author, do you possibly remember some details about this?  Is this some libwmf-specific extension of gd?

Comment 12 Jan Lieskovsky 2009-04-30 20:02:42 UTC
Lifting embargo

Comment 13 errata-xmlrpc 2009-04-30 20:42:53 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:0457 https://rhn.redhat.com/errata/RHSA-2009-0457.html

Comment 15 Fedora Update System 2009-05-26 14:07:56 UTC
libwmf-0.2.8.4-18.1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/libwmf-0.2.8.4-18.1.fc9

Comment 16 Fedora Update System 2009-05-26 14:08:02 UTC
libwmf-0.2.8.4-18.1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/libwmf-0.2.8.4-18.1.fc10

Comment 17 Fedora Update System 2009-05-26 14:08:07 UTC
libwmf-0.2.8.4-20.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/libwmf-0.2.8.4-20.fc11

Comment 18 Fedora Update System 2009-05-27 19:03:18 UTC
libwmf-0.2.8.4-20.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2009-05-27 19:03:55 UTC
libwmf-0.2.8.4-18.1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2009-05-27 19:04:41 UTC
libwmf-0.2.8.4-18.1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.