Bug 20474

Summary: libwmf new security issues CVE-2016-1016[6-8], CVE-2016-6912, CVE-2016-9317
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, lewyssmith, marja11, nicolas.salguero, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-64-OK advisory MGA5-32-OK
Source RPM: libwmf-0.2.8.4-36.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-03-14 11:11:12 CET 
Fedora has issued an advisory on March 13:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ED4PV4GKAZ5HGPYD32EFVFZIAN6EGMRQ/

Mageia 5 is also affected.

These issues are apparently due to a bundled libgd.
David Walser 2017-03-14 11:11:20 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-03-14 12:32:23 CET 
Assigning to all pkgrs collectively, since there is no registered maintainer for libwmf

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2017-03-21 14:43:51 CET 
According to https://bugzilla.redhat.com/show_bug.cgi?id=1418992#c2, CVE-2016-6912 does not affect libwmf.

CC: (none) => nicolas.salguero

Comment 3 Nicolas Salguero 2017-03-21 14:51:26 CET 
According to https://bugzilla.redhat.com/show_bug.cgi?id=1418992#c4, CVE-2016-10166 does not affect libwmf.
Comment 4 Nicolas Salguero 2017-03-21 14:51:54 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

The gdImageCreate function in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (system hang) via an oversized image. (CVE-2016-9317)

The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted image file. (CVE-2016-10167)

Integer overflow in gd_io.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to have unspecified impact via vectors involving the number of horizontal and vertical chunks in an image. (CVE-2016-10168)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9317
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10167
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10168
========================

Updated packages in core/updates_testing:
========================
libwmf-0.2.8.4-32.4.mga5
lib(64)wmf0.2_7-0.2.8.4-32.4.mga5
lib(64)wmf-devel-0.2.8.4-32.4.mga5

from SRPMS:
libwmf-0.2.8.4-32.4.mga5.src.rpm
Nicolas Salguero 2017-03-21 14:52:40 CET

Status: NEW => ASSIGNED
Version: Cauldron => 5
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 5 Lewis Smith 2017-03-23 09:56:27 CET 
Prior to testing.

These applications use lib64wmf0.2_7 :
 abiword
 gimp
 graphicsmagick
 imagemagick
 libwmf

libwmf contains several .wmf -> other format conversion programs:
 /usr/bin/wmf2eps
 /usr/bin/wmf2fig
 /usr/bin/wmf2gd
 /usr/bin/wmf2svg
 /usr/bin/wmf2x
No man pages; do <command> --help for good info.

CC: (none) => lewyssmith

Comment 6 Lewis Smith 2017-03-23 11:41:56 CET 
Testing M5_64

BEFORE update:
 libwmf-0.2.8.4-32.3.mga5
 lib64wmf0.2_7-0.2.8.4-32.3.mga5


1. $ wmf2eps -o ac000001.eps ac000001.wmf
Caution: without -o output is to STDOUT.
The output .eps file was OK, opened with several applications.

2. $ wmf2fig -o alamo.fig alamo.wmf
Caution: without -o output is to STDOUT.
Caution: the help implies that the O/P file is .eps rather than .fig . I do not know whether it outputs .eps or .fig, so forced .fig. Despite which, XFig did not list it in its 'open' dialogue. Specifically 'open with XFig' from a file manager window worked; the result was slightly messy, and I could not edit it.

3a. $ wmf2gd -o bcklc140.png bcklc140.wmf
3b. $ wmf2gd -t jpeg -o bcklc140.jpg bcklc140.wmf
This command actually produces a .png (default) or .jpg image. Both results displayed fine.

4. $ wmf2svg -o anima001.svg anima001.wmf
Caution: without -o output is to STDOUT.
The result opened fine in Inkscape (using 'open with Inkscape' from a FM window), and was editable. [discovered a bug re the file open dialogue in Inkscape  *not* to persue here].

5. $ wmf2x bkgr_01.wmf
XIO:  fatal IO error 11 (Resource temporarily unavailable) on X server ":0.0"
      after 1442 requests (8 known processed) with 0 events remaining.
but the image displayed impecably.

AFTER the update:
 libwmf-0.2.8.4-32.4.mga5
 lib64wmf0.2_7-0.2.8.4-32.4.mga5

All results waere the same as previously.

And to confirm that the library really is called:
 $ strace wmf2svg -o anima001.svg anima001.wmf 2>&1 | grep libwmf
 open("/lib64/libwmf-0.2.so.7", O_RDONLY|O_CLOEXEC) = 3
 open("/lib64/libwmflite-0.2.so.7", O_RDONLY|O_CLOEXEC) = 3

Update OK.

Whiteboard: (none) => MGA5-64-OK

Dave Hodgins 2017-03-25 00:32:03 CET

CC: (none) => davidwhodgins
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory

Comment 7 Dave Hodgins 2017-03-25 01:30:08 CET 
Update installs cleanly on i586.

Using /usr/share/batik/samples/tests/resources/wmf/black_shapes.wmf from the
package batik-demo for testing on Mageia 5 i586.

wmf2svg -o test.svg /usr/share/batik/samples/tests/resources/wmf/black_shapes.wmf

Then using inkscape to view the test.svg.

Validating the update.

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK advisory => MGA5-64-OK advisory MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2017-03-25 17:57:37 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0086.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED