Your message dated Fri, 31 Jul 2015 09:41:13 +0000 with message-id <[email protected]> and subject line Bug#784192: fixed in libwmf 0.2.8.4-10.4 has caused the Debian Bug report #784192, regarding CVE-2015-4696: wmf2gd/wmf2eps use after free to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 784192: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784192 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: libwmf-bin When recompiling libwmf-bin and enabling ASAN, trying to use it with one of the examples provided in the package (cell.wmf) a heap-use-after-free is reported. The same cell.wmf can be used in wmf2svg without any warning. $ /home/fmunozs/ramdisk/wmf2gd --wmf-fontdir=/usr/share/fonts/type1/gsfonts examples/cell.wmf ================================================================= ==10173==ERROR: AddressSanitizer: heap-use-after-free on address 0xb5208670 at pc 0x805d0bc bp 0xbfc07688 sp 0xbfc07678 READ of size 4 at 0xb5208670 thread T0 #0 0x805d0bb in gd_translate_ft64 ../../src/ipa/xgd/device.h:241 #1 0x805d0bb in gd_translate ../../src/ipa/xgd/device.h:230 #2 0x805d0bb in wmf_gd_region_clip ../../src/ipa/xgd/region.h:112 #3 0x818ebb0 in meta_dc_restore player/meta.h:2598 #4 0x818ebb0 in WmfPlayMetaFile /home/fmunozs/wmf/libwmf-0.2.8.4/src/player.c:1161 #5 0x81b4bdd in wmf_play /home/fmunozs/wmf/libwmf-0.2.8.4/src/player.c:323 #6 0x805097a in wmf2gd_draw /home/fmunozs/wmf/libwmf-0.2.8.4/src/convert/wmf2gd.c:191 #7 0x805097a in wmf2gd_file /home/fmunozs/wmf/libwmf-0.2.8.4/src/convert/wmf2gd.c:410 #8 0x804abf8 in main /home/fmunozs/wmf/libwmf-0.2.8.4/src/convert/wmf2gd.c:429 #9 0xb6f4472d in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1872d) #10 0x804b2ee (/home/fmunozs/ramdisk/wmf2gd+0x804b2ee) 0xb5208670 is located 0 bytes inside of 8-byte region [0xb5208670,0xb5208678) freed by thread T0 here: #0 0xb731ef06 in __interceptor_free (/usr/lib/i386-linux-gnu/libasan.so.1+0x50f06) #1 0x80ea7db in wmf_free /home/fmunozs/wmf/libwmf-0.2.8.4/src/api.c:582 previously allocated by thread T0 here: #0 0xb731f18c in __interceptor_malloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x5118c) #1 0x80e43e8 in wmf_malloc /home/fmunozs/wmf/libwmf-0.2.8.4/src/api.c:482 SUMMARY: AddressSanitizer: heap-use-after-free ../../src/ipa/xgd/device.h:241 gd_translate_ft64 Shadow bytes around the buggy address: 0x36a41070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a41080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a41090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a410a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a410b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x36a410c0: fa fa fa fa fa fa fa fa fa fa fd fa fa fa[fd]fa 0x36a410d0: fa fa 00 04 fa fa fd fa fa fa fd fa fa fa 00 fa 0x36a410e0: fa fa 06 fa fa fa 00 fa fa fa 00 fa fa fa fd fd 0x36a410f0: fa fa 00 04 fa fa 00 04 fa fa 00 fa fa fa fd fa 0x36a41100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a41110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==10173==ABORTING $ /home/fmunozs/ramdisk/wmf2eps --wmf-fontdir=/usr/share/fonts/type1/gsfonts examples/cell.wmf %!PS-Adobe-2.0 EPSF-2.0 %%BoundingBox: 0 0 1025 1025 save gsave 0 1025 translate 1 -1 scale 0.066498 0.066498 translate 1.000847 1.000847 scale gsave % begin clip grestore % end clip gsave % begin clip [ 0.000000 -0.000000 1024.000000 1024.000000 ] rectclip gsave % wmf_[eps_]draw_rectangle newpath 0.000000 -0.000000 moveto 0.000000 1024.000000 lineto 1024.000000 1024.000000 lineto 1024.000000 -0.000000 lineto closepath 1.000000 1.000000 1.000000 setrgbcolor fill grestore grestore % end clip gsave % begin clip [ ================================================================= ==32161==ERROR: AddressSanitizer: heap-use-after-free on address 0xb5108654 at pc 0x80588a1 bp 0xbff325e8 sp 0xbff325d8 READ of size 4 at 0xb5108654 thread T0 #0 0x80588a0 in wmf_eps_region_clip ../../src/ipa/eps/region.h:136 #1 0x818c810 in meta_dc_restore player/meta.h:2598 #2 0x818c810 in WmfPlayMetaFile /home/fmunozs/wmf/libwmf-0.2.8.4/src/player.c:1161 #3 0x81b283d in wmf_play /home/fmunozs/wmf/libwmf-0.2.8.4/src/player.c:323 #4 0x8050023 in wmf2eps_draw /home/fmunozs/wmf/libwmf-0.2.8.4/src/convert/wmf2eps.c:216 #5 0x8050023 in wmf2eps_file /home/fmunozs/wmf/libwmf-0.2.8.4/src/convert/wmf2eps.c:456 #6 0x804ac70 in main /home/fmunozs/wmf/libwmf-0.2.8.4/src/convert/wmf2eps.c:475 #7 0xb6e6e72d in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1872d) #8 0x804b33e (/home/fmunozs/ramdisk/wmf2eps+0x804b33e) 0xb5108654 is located 4 bytes inside of 8-byte region [0xb5108650,0xb5108658) freed by thread T0 here: #0 0xb7248f06 in __interceptor_free (/usr/lib/i386-linux-gnu/libasan.so.1+0x50f06) #1 0x80e843b in wmf_free /home/fmunozs/wmf/libwmf-0.2.8.4/src/api.c:582 previously allocated by thread T0 here: #0 0xb724918c in __interceptor_malloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x5118c) #1 0x80e2048 in wmf_malloc /home/fmunozs/wmf/libwmf-0.2.8.4/src/api.c:482 SUMMARY: AddressSanitizer: heap-use-after-free ../../src/ipa/eps/region.h:136 wmf_eps_region_clip Shadow bytes around the buggy address: 0x36a21070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a21080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a21090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a210a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a210b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x36a210c0: fa fa fa fa fa fa fa fa fa fa[fd]fa fa fa fd fa 0x36a210d0: fa fa fd fa fa fa fd fa fa fa 00 fa fa fa 06 fa 0x36a210e0: fa fa 00 04 fa fa 00 fa fa fa 00 fa fa fa fd fd 0x36a210f0: fa fa 00 04 fa fa 00 04 fa fa 00 fa fa fa fd fa 0x36a21100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a21110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==32161==ABORTING
--- End Message ---
--- Begin Message ---Source: libwmf Source-Version: 0.2.8.4-10.4 We believe that the bug you reported is fixed in the latest version of libwmf, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Alessandro Ghedini <[email protected]> (supplier of updated libwmf package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 30 Jul 2015 17:10:05 +0200 Source: libwmf Binary: libwmf0.2-7 libwmf-bin libwmf-dev libwmf-doc Architecture: source amd64 all Version: 0.2.8.4-10.4 Distribution: unstable Urgency: high Maintainer: Loïc Minier <[email protected]> Changed-By: Alessandro Ghedini <[email protected]> Description: libwmf-bin - Windows metafile conversion tools libwmf-dev - Windows metafile conversion development libwmf-doc - Windows metafile documentation libwmf0.2-7 - Windows metafile conversion library Closes: 784192 784205 787644 790365 Changes: libwmf (0.2.8.4-10.4) unstable; urgency=high . * NMU from the Security Team * Fix multiple vulnerabilities: - CVE-2015-0848 (Closes: #790365) - CVE-2015-4588 (Closes: #787644) - CVE-2015-4695 (Closes: #784205) - CVE-2015-4696 (Closes: #784192) * Fix lintian override Checksums-Sha1: 450540d3d66a311ce99cb082597dadaa0ffb1edc 2066 libwmf_0.2.8.4-10.4.dsc 47d30a5d40b35d19fe13e95406833218b796f060 10720 libwmf_0.2.8.4-10.4.debian.tar.xz c45e10aeae14667fdd9d7300be18cf15eecf33b2 33178 libwmf-bin_0.2.8.4-10.4_amd64.deb 16fa98ba6d9e767ad19960e864e0ff8e27fc8b89 185254 libwmf-dev_0.2.8.4-10.4_amd64.deb 97d9d25df72efab358720c44c0c6a084d04fc4c4 230988 libwmf-doc_0.2.8.4-10.4_all.deb 530330cb97d0807ce41aabaf8110d58e5119866e 162992 libwmf0.2-7_0.2.8.4-10.4_amd64.deb Checksums-Sha256: 91f1edacbc33e5414cc703556eb1b84e5903b128dc7e42e6dda612867d62886a 2066 libwmf_0.2.8.4-10.4.dsc 5fd6bbf1d9f6af8b02b8d8531b331c12dbcec4e0dc11a8b94e30ce45032e0e89 10720 libwmf_0.2.8.4-10.4.debian.tar.xz 1d5de3e28f9324167c344c6f5b54487f5886bd2a7177ccca50356b5a000a5d42 33178 libwmf-bin_0.2.8.4-10.4_amd64.deb e179edacece3530112b93e2b6ad8833346433cc8dd71f13bc71316b4c6b83620 185254 libwmf-dev_0.2.8.4-10.4_amd64.deb a3c23122f4fa0aa12981f7492fcec0633eaeb0364991e6d5e2404aeb59593b58 230988 libwmf-doc_0.2.8.4-10.4_all.deb cfc43e06dfe1276e38b8c25e37f6a873437368794a4aa4c6c58e9aef16512e8f 162992 libwmf0.2-7_0.2.8.4-10.4_amd64.deb Files: 3e42e8e78db503b77c617a1a55a6870b 2066 libs optional libwmf_0.2.8.4-10.4.dsc 04815b571768138d80b1a41ce4073738 10720 libs optional libwmf_0.2.8.4-10.4.debian.tar.xz dd93758e6acec8489d45ced9fa916bbc 33178 graphics optional libwmf-bin_0.2.8.4-10.4_amd64.deb 47806380e2379a35344122dd31d4195c 185254 libdevel optional libwmf-dev_0.2.8.4-10.4_amd64.deb 7f8fea554b22dc39a4f7f6fb3a204d8b 230988 doc optional libwmf-doc_0.2.8.4-10.4_all.deb 3c9b859bf279fcf201cc630da37690c1 162992 libs optional libwmf0.2-7_0.2.8.4-10.4_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVuysGAAoJEK+lG9bN5XPLqasP/2E0NgkqguzR4wbexpantyXm Ntgob/yva4MaYyj8FPARns/59UdzLKJ98vM9jzH+HBHbQ5o0nomGFBRLpMSZtloq qfqbnL8tzvZtrMYTKuD9H55ZpVDIP7tIjEps7onKHPxMR+v0UB+SwD8E5jTZW1SX hmgo+r1fNfaz3kg/X/eE/gitpyEY+5ca5XRJU5aCuujodi4GGsq14nxtWcycOm4q xfVV65rD3cil9grZLCz7jK4U3FTibUylTAj9hBahu9w/D8/jCwn9dOL+cyjSYonB 0bzxLTWWSUge6aNw4xy5YEKvvdmEanj2PO3qkz1/1C72Eohgblk8kIHAygXb6TJi b3vdqdk7jxITApgMK2uDjG69GVuxJQ0Gq6ce95k4x2EFEq1WtVI7x8QIT6DH563/ 1Ie1EpRR03FGg6+j9HTRI/fyk4OEV41P3je+tGKHoqMb9HjQtVwvbxc7RVhjo2VS Xqpl/uXQjicKsKEG7HnTEAr8HNrqW7P+LnDgiJDoKp5aNHO8uO1Q3yoB/It1mFIz 8XDkCRS+D8QZWGAKT8TJsYy3eRHZLZxplO5M9UAOu/IUCEOD/TupMdRpj5m40Oab LgTWf9PIRQHJyYoLD4LuwQM+V2/3xlJGFNm+FfsDRzngZHwKEFAFc5AGOo6KlM8y PVkgFYYr9lYxM1TCfElG =VF5W -----END PGP SIGNATURE-----
--- End Message ---
