| Summary: | libwmf new security issues CVE-2015-0848, CVE-2015-4588, and CVE-2015-469[56] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | davidwhodgins, herman.viaene, ottoleipala1, shlomif, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/649228/ | ||
| Whiteboard: | MGA4TOO advisory MGA4-32-OK MGA5-32-OK | ||
| Source RPM: | libwmf-0.2.8.4-32.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-06-16 13:42:19 CEST
David Walser
2015-06-16 13:42:26 CEST
Whiteboard:
(none) =>
MGA5TOO, MGA4TOO Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron. Advisory: ======================== Updated libwmf packages fix security vulnerabilities: It was discovered that libwmf did not correctly process certain WMF (Windows Metafiles) containing BMP images. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the application (CVE-2015-0848, CVE-2015-4588). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0848 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4588 http://seclists.org/oss-sec/2015/q2/597 http://seclists.org/oss-sec/2015/q2/719 https://bugzilla.redhat.com/show_bug.cgi?id=1227243 ======================== Updated packages in core/updates_testing: ======================== libwmf-0.2.8.4-30.1.mga4 libwmf0.2_7-0.2.8.4-30.1.mga4 libwmf-devel-0.2.8.4-30.1.mga4 libwmf-0.2.8.4-32.1.mga5 libwmf0.2_7-0.2.8.4-32.1.mga5 libwmf-devel-0.2.8.4-32.1.mga5 from SRPMS: libwmf-0.2.8.4-30.1.mga4.src.rpm libwmf-0.2.8.4-32.1.mga5.src.rpm Version:
Cauldron =>
5 Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron. Advisory: ======================== Updated libwmf packages fix security vulnerabilities: It was discovered that libwmf did not correctly process certain WMF (Windows Metafiles) containing BMP images. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the application (CVE-2015-0848, CVE-2015-4588). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0848 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4588 http://seclists.org/oss-sec/2015/q2/597 http://seclists.org/oss-sec/2015/q2/719 https://bugzilla.redhat.com/show_bug.cgi?id=1227243 ======================== Updated packages in core/updates_testing: ======================== libwmf-0.2.8.4-30.1.mga4 libwmf0.2_7-0.2.8.4-30.1.mga4 libwmf-devel-0.2.8.4-30.1.mga4 libwmf-0.2.8.4-32.1.mga5 libwmf0.2_7-0.2.8.4-32.1.mga5 libwmf-devel-0.2.8.4-32.1.mga5 from SRPMS: libwmf-0.2.8.4-30.1.mga4.src.rpm libwmf-0.2.8.4-32.1.mga5.src.rpm Assignee:
bugsquad =>
qa-bugs There are lib64 packages for libwmf0.2_7-0.2.8.4-30.1.mga4 and libwmf0.2_7-0.2.8.4-30.1.mga4, but not for libwmf-0.2.8.4-30.1.mga4. Is that OK???? CC:
(none) =>
herman.viaene It's ok that would be typo i think as it have older version number. CC:
(none) =>
ozkyster No there's no typo.
Library packages are always lib{name}{number}. If the name ends with a number itself, there's an underscore between the name and number. Devel packages are lib{name}-devel. Only library packages and devel packages have lib64 equivalents on x86_64. So in this case, libwmf0.2_7 is a library package, libwmf-devel is a devel package, and libwmf is not a library package, so only the first two have lib64, the third one is called libwmf also on x86_64.
Fedora has issued an advisory for this on June 9: https://lists.fedoraproject.org/pipermail/package-announce/2015-June/160668.html Advisory: ======================== Updated libwmf packages fix security vulnerabilities: It was discovered that libwmf did not correctly process certain WMF (Windows Metafiles) containing BMP images. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the application (CVE-2015-0848, CVE-2015-4588). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0848 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4588 https://lists.fedoraproject.org/pipermail/package-announce/2015-June/160668.html
David Walser
2015-06-24 19:20:44 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/649228/ My test procedure for this (done on an i586 VM) was to install gimp, download this file: https://github.com/finwe/mpdf/blob/master/examples/tiger.wmf And run "gimp tiger.wmf" to see that it opens fine? Is this enough? Marking as NEEDINFO. Keywords:
(none) =>
NEEDINFO There is a PoC here: http://seclists.org/oss-sec/2015/q2/597 There are also more wmf files to try mentioned in these bugs (one apparently ships with libwmf and is mentioned in the first bug, the others are attached to the second): https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784192 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784205 Those last ones correspond to some new CVEs, so I'm going to add the patches attached here and push this back to QA: https://bugzilla.redhat.com/show_bug.cgi?id=1227243#c14 https://bugzilla.redhat.com/show_bug.cgi?id=1227243#c15 Keywords:
NEEDINFO =>
(none) Patches for CVE-2015-469[56] now added. Advisory: ======================== Updated libwmf packages fix security vulnerabilities: It was discovered that libwmf did not correctly process certain WMF (Windows Metafiles) containing BMP images. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the application (CVE-2015-0848, CVE-2015-4588). Two out of bounds reads in libwmf were also discovered, one in the meta_pen_create() function in player/meta.h (CVE-2015-4695) and one in wmf2gd.c and wmf2eps.c (CVE-2015-4696). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0848 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4588 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4595 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4596 https://lists.fedoraproject.org/pipermail/package-announce/2015-June/160668.html http://openwall.com/lists/oss-security/2015/06/21/3 ======================== Updated packages in core/updates_testing: ======================== libwmf-0.2.8.4-30.2.mga4 libwmf0.2_7-0.2.8.4-30.2.mga4 libwmf-devel-0.2.8.4-30.2.mga4 libwmf-0.2.8.4-32.2.mga5 libwmf0.2_7-0.2.8.4-32.2.mga5 libwmf-devel-0.2.8.4-32.2.mga5 from SRPMS: libwmf-0.2.8.4-30.2.mga4.src.rpm libwmf-0.2.8.4-32.2.mga5.src.rpm Summary:
libwmf new security issues CVE-2015-0848 and CVE-2015-4588 =>
libwmf new security issues CVE-2015-0848, CVE-2015-4588, and CVE-2015-469[56] *** Bug 16167 has been marked as a duplicate of this bug. *** MGA5-64 on HP Probook 6555b KDE. No installation issues. Using test file from Comment 7 I get at the CLI: > gimp tiger.wmf ERROR: meta.c (179): wmf_header_read: this isn't a wmf file (file-wmf:30464): Gtk-CRITICAL **: IA__gtk_widget_set_size_request: assertion 'width >= -1' failed ERROR: meta.c (179): wmf_header_read: this isn't a wmf file (file-wmf:30464): LibGimpWidgets-CRITICAL **: gimp_preview_area_draw: assertion 'buf != NULL' failed ERROR: meta.c (179): wmf_header_read: this isn't a wmf file LWN reference for CVE-2015-4695 and CVE-2015-4696: http://lwn.net/Vulnerabilities/649712/ (In reply to Herman Viaene from comment #11) > MGA5-64 on HP Probook 6555b KDE. > No installation issues. > Using test file from Comment 7 I get at the CLI: > > gimp tiger.wmf Note that some of my links in Comment 8 showed how to test a wmf file using command-line tools, rather than the GIMP.
Dave Hodgins
2015-07-01 23:06:51 CEST
CC:
(none) =>
davidwhodgins Installed the libwmf package. gunzip'd the file attached here: http://seclists.org/oss-sec/2015/q2/597 Before the update: $ wmf2svg bmpoverflow_wmf > foo.svg *** Error in `wmf2svg': malloc(): memory corruption: 0x09ecc330 *** (Mageia 4) *** Error in `wmf2svg': malloc(): memory corruption: 0x095662d8 *** (Mageia 5) it also hung and I had to kill it. After the update: $ wmf2svg bmpoverflow_wmf > foo.svg ERROR: ../../src/ipa/ipa/bmp.h (1169): Unexpected pixel depth and no hang. Ran wmf2gd and wmf2eps on the examples/cell.wmf file from the libwmf source tarball and got no errors before or after the update. Ran wmf2svg on the two wmf files in the tarball attached to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784205 and before and after the update I get ERROR: player/meta.h (line-number): Object out of range! with various different line numbers. Whiteboard:
MGA4TOO advisory =>
MGA4TOO advisory MGA4-32-OK MGA5-32-OK Someone from the sysadmin team please push 16127.adv to updates Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0261.html Status:
NEW =>
RESOLVED |