Your message dated Thu, 17 Dec 2009 00:11:43 +0000
with message-id <[email protected]>
and subject line Bug#526434: fixed in libwmf 0.2.8.4-6+lenny1
has caused the Debian Bug report #526434,
regarding CVE-2009-1364 libwmf: embedded gd use-after-free error
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
526434: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526434
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libwmf
Version: 0.2.8.4-6
Severity: serious
Tags: security patch
Hi,
redhat recently patched libwmf.
CVE-2009-1364 is still reserved, but is disclosed in RHSA-2009:0457-1[0]
A pointer use-after-free flaw was found in the GD graphics library embedded
in libwmf. An attacker could create a specially-crafted WMF file that would
cause an application using libwmf to crash or, potentially, execute
arbitrary code as the user running the application when opened by a victim.
(CVE-2009-1364)
Note: This flaw is specific to the GD graphics library embedded in libwmf.
It does not affect the GD graphics library from the "gd" packages, or
applications using it.
Attached the trivial patch to fix this issue, but probably libwmf should not use
embedded gd, system gd should be used instead.
[0]http://rhn.redhat.com/errata/RHSA-2009-0457.html
Cheers,
Giuseppe.
--- src/extra/gd/gd_clip.c.old 2001-03-28 11:37:29.000000000 +0200
+++ src/extra/gd/gd_clip.c 2009-05-01 10:02:04.000000000 +0200
@@ -70,6 +70,7 @@
{ more = gdRealloc (im->clip->list,(im->clip->max + 8) * sizeof
(gdClipRectangle));
if (more == 0) return;
im->clip->max += 8;
+ im->clip->list = more;
}
im->clip->list[im->clip->count] = (*rect);
im->clip->count++;
--- End Message ---
--- Begin Message ---
Source: libwmf
Source-Version: 0.2.8.4-6+lenny1
We believe that the bug you reported is fixed in the latest version of
libwmf, which is due to be installed in the Debian FTP archive:
libwmf-bin_0.2.8.4-6+lenny1_amd64.deb
to main/libw/libwmf/libwmf-bin_0.2.8.4-6+lenny1_amd64.deb
libwmf-dev_0.2.8.4-6+lenny1_amd64.deb
to main/libw/libwmf/libwmf-dev_0.2.8.4-6+lenny1_amd64.deb
libwmf-doc_0.2.8.4-6+lenny1_all.deb
to main/libw/libwmf/libwmf-doc_0.2.8.4-6+lenny1_all.deb
libwmf0.2-7_0.2.8.4-6+lenny1_amd64.deb
to main/libw/libwmf/libwmf0.2-7_0.2.8.4-6+lenny1_amd64.deb
libwmf_0.2.8.4-6+lenny1.diff.gz
to main/libw/libwmf/libwmf_0.2.8.4-6+lenny1.diff.gz
libwmf_0.2.8.4-6+lenny1.dsc
to main/libw/libwmf/libwmf_0.2.8.4-6+lenny1.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[email protected]> (supplier of updated libwmf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 05 May 2009 13:28:49 +0000
Source: libwmf
Binary: libwmf0.2-7 libwmf-bin libwmf-dev libwmf-doc
Architecture: source amd64 all
Version: 0.2.8.4-6+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Loic Minier <[email protected]>
Changed-By: Nico Golde <[email protected]>
Description:
libwmf-bin - Windows metafile conversion tools
libwmf-dev - Windows metafile conversion development
libwmf-doc - Windows metafile documentation
libwmf0.2-7 - Windows metafile conversion library
Closes: 526434
Changes:
libwmf (0.2.8.4-6+lenny1) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix use-after-free in embedded copy of gd enabling an attacker
to do DoS attacks or execute arbitrary code via a crafted wmf file
(CVE-2009-1364; Closes: #526434).
Checksums-Sha1:
00a185f6ebce3a8184d47678b675f78e4946b735 1195 libwmf_0.2.8.4-6+lenny1.dsc
822ab3bd0f5e8f39ad732f2774a8e9f18fc91e89 2169375 libwmf_0.2.8.4.orig.tar.gz
cb0e21111f18fce513e5bc24c68044fd28bb8824 7894 libwmf_0.2.8.4-6+lenny1.diff.gz
ec821fbdf8fcefb183bedfbcc08addac39e99616 186908
libwmf0.2-7_0.2.8.4-6+lenny1_amd64.deb
4bdf745094af2b2603bac0700be3dda79a371c83 18992
libwmf-bin_0.2.8.4-6+lenny1_amd64.deb
7126fd67c0b2299707eb210ab39e33735fe6f05b 210036
libwmf-dev_0.2.8.4-6+lenny1_amd64.deb
695b90ec01d1992adb192f88e1a5e23c1ad3da94 285920
libwmf-doc_0.2.8.4-6+lenny1_all.deb
Checksums-Sha256:
81f3c4f1223eeaccbaaf9b9cf152f47a6f57e9b4ebadd61e98a1c1436aa13a98 1195
libwmf_0.2.8.4-6+lenny1.dsc
5b345c69220545d003ad52bfd035d5d6f4f075e65204114a9e875e84895a7cf8 2169375
libwmf_0.2.8.4.orig.tar.gz
9e5064760bc98c3e11d7e96a241992ef530f8be77a86b37c3ed0cac60a263780 7894
libwmf_0.2.8.4-6+lenny1.diff.gz
bda2b01a77287dd6e71aaccfacdb4d3a4563300c6f589dbd86c1137aab923d09 186908
libwmf0.2-7_0.2.8.4-6+lenny1_amd64.deb
cb98b29174971ec17f06c9da63632bbb71ab03ecd6a885e863fa3dcd92c48e52 18992
libwmf-bin_0.2.8.4-6+lenny1_amd64.deb
c503d0f2167bb895e441ec3671eb3741f7ee98a103ccfc929e4748534de6d92e 210036
libwmf-dev_0.2.8.4-6+lenny1_amd64.deb
8ba2e7d54caeff3a1ea453e16853f4bc584f806ed9f9e9ef4b761a5bd55a2446 285920
libwmf-doc_0.2.8.4-6+lenny1_all.deb
Files:
ca8aa8b0ca3a03408032af1ff3882569 1195 libs optional libwmf_0.2.8.4-6+lenny1.dsc
d1177739bf1ceb07f57421f0cee191e0 2169375 libs optional
libwmf_0.2.8.4.orig.tar.gz
4f82263c3909e9b63e0cbc7ed10e997d 7894 libs optional
libwmf_0.2.8.4-6+lenny1.diff.gz
79c5cf0608709bb8a8e52547a050e94c 186908 libs optional
libwmf0.2-7_0.2.8.4-6+lenny1_amd64.deb
49529a2273c18658ed927016b33e0ff5 18992 graphics optional
libwmf-bin_0.2.8.4-6+lenny1_amd64.deb
b933a8713fee44409613401692602bc9 210036 libdevel optional
libwmf-dev_0.2.8.4-6+lenny1_amd64.deb
c5388d928771785efcbf9cecb6c589a1 285920 doc optional
libwmf-doc_0.2.8.4-6+lenny1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoAQfsACgkQHYflSXNkfP9G8wCffxGd6q7FDmBsK9GuWI/6n3IL
j/cAn3oWmu2iTcac2jSRcTUNpURcQHFj
=VIGa
-----END PGP SIGNATURE-----
--- End Message ---
