Bug 16127 - libwmf new security issues CVE-2015-0848, CVE-2015-4588, and CVE-2015-469[56]
Summary: libwmf new security issues CVE-2015-0848, CVE-2015-4588, and CVE-2015-469[56]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/649228/
Whiteboard: MGA4TOO advisory MGA4-32-OK MGA5-32-OK
Keywords: validated_update
: 16167 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-06-16 13:42 CEST by David Walser
Modified: 2015-07-05 19:23 CEST (History)
5 users (show)

See Also:
Source RPM: libwmf-0.2.8.4-32.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-06-16 13:42:19 CEST
Two issues in libwmf have been reported and assigned CVEs:
http://seclists.org/oss-sec/2015/q2/597
http://seclists.org/oss-sec/2015/q2/719
https://bugzilla.redhat.com/show_bug.cgi?id=1227243

Mageia 4 and Mageia 5 are affected.

Patch added in Mageia 4 and Cauldron SVN, but it will have to be added in Mageia 5 SVN as well after it's branched.

Reproducible: 

Steps to Reproduce:
David Walser 2015-06-16 13:42:26 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-06-20 16:45:17 CEST
Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron.

Advisory:
========================

Updated libwmf packages fix security vulnerabilities:

It was discovered that libwmf did not correctly process certain WMF (Windows
Metafiles) containing BMP images. By tricking a victim into opening a
specially crafted WMF file in an application using libwmf, a remote attacker
could possibly use this flaw to execute arbitrary code with the privileges of
the user running the application (CVE-2015-0848, CVE-2015-4588).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0848
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4588
http://seclists.org/oss-sec/2015/q2/597
http://seclists.org/oss-sec/2015/q2/719
https://bugzilla.redhat.com/show_bug.cgi?id=1227243
========================

Updated packages in core/updates_testing:
========================
libwmf-0.2.8.4-30.1.mga4
libwmf0.2_7-0.2.8.4-30.1.mga4
libwmf-devel-0.2.8.4-30.1.mga4
libwmf-0.2.8.4-32.1.mga5
libwmf0.2_7-0.2.8.4-32.1.mga5
libwmf-devel-0.2.8.4-32.1.mga5

from SRPMS:
libwmf-0.2.8.4-30.1.mga4.src.rpm
libwmf-0.2.8.4-32.1.mga5.src.rpm

Version: Cauldron => 5
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO

Comment 2 David Walser 2015-06-20 16:58:34 CEST
Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron.

Advisory:
========================

Updated libwmf packages fix security vulnerabilities:

It was discovered that libwmf did not correctly process certain WMF (Windows
Metafiles) containing BMP images. By tricking a victim into opening a
specially crafted WMF file in an application using libwmf, a remote attacker
could possibly use this flaw to execute arbitrary code with the privileges of
the user running the application (CVE-2015-0848, CVE-2015-4588).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0848
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4588
http://seclists.org/oss-sec/2015/q2/597
http://seclists.org/oss-sec/2015/q2/719
https://bugzilla.redhat.com/show_bug.cgi?id=1227243
========================

Updated packages in core/updates_testing:
========================
libwmf-0.2.8.4-30.1.mga4
libwmf0.2_7-0.2.8.4-30.1.mga4
libwmf-devel-0.2.8.4-30.1.mga4
libwmf-0.2.8.4-32.1.mga5
libwmf0.2_7-0.2.8.4-32.1.mga5
libwmf-devel-0.2.8.4-32.1.mga5

from SRPMS:
libwmf-0.2.8.4-30.1.mga4.src.rpm
libwmf-0.2.8.4-32.1.mga5.src.rpm

Assignee: bugsquad => qa-bugs

Comment 3 Herman Viaene 2015-06-23 14:13:46 CEST
There are lib64 packages for libwmf0.2_7-0.2.8.4-30.1.mga4 and libwmf0.2_7-0.2.8.4-30.1.mga4, but not for libwmf-0.2.8.4-30.1.mga4.
Is that OK????

CC: (none) => herman.viaene

Comment 4 Otto Leipälä 2015-06-23 14:42:55 CEST
It's ok that would be typo i think as it have older version number.

CC: (none) => ozkyster

Comment 5 David Walser 2015-06-23 16:23:47 CEST
No there's no typo.

Library packages are always lib{name}{number}.  If the name ends with a number itself, there's an underscore between the name and number.  Devel packages are lib{name}-devel.  Only library packages and devel packages have lib64 equivalents on x86_64.  So in this case, libwmf0.2_7 is a library package, libwmf-devel is a devel package, and libwmf is not a library package, so only the first two have lib64, the third one is called libwmf also on x86_64.
Comment 6 David Walser 2015-06-24 19:20:38 CEST
Fedora has issued an advisory for this on June 9:
https://lists.fedoraproject.org/pipermail/package-announce/2015-June/160668.html

Advisory:
========================

Updated libwmf packages fix security vulnerabilities:

It was discovered that libwmf did not correctly process certain WMF (Windows
Metafiles) containing BMP images. By tricking a victim into opening a
specially crafted WMF file in an application using libwmf, a remote attacker
could possibly use this flaw to execute arbitrary code with the privileges of
the user running the application (CVE-2015-0848, CVE-2015-4588).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0848
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4588
https://lists.fedoraproject.org/pipermail/package-announce/2015-June/160668.html
David Walser 2015-06-24 19:20:44 CEST

URL: (none) => http://lwn.net/Vulnerabilities/649228/

Comment 7 Shlomi Fish 2015-06-27 15:42:01 CEST
My test procedure for this (done on an i586 VM) was to install gimp, download this file:

https://github.com/finwe/mpdf/blob/master/examples/tiger.wmf

And run "gimp tiger.wmf" to see that it opens fine? Is this enough?

Marking as NEEDINFO.

Keywords: (none) => NEEDINFO
CC: (none) => shlomif

Comment 8 David Walser 2015-06-27 16:50:21 CEST
There is a PoC here:
http://seclists.org/oss-sec/2015/q2/597

There are also more wmf files to try mentioned in these bugs (one apparently ships with libwmf and is mentioned in the first bug, the others are attached to the second):
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784192
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784205

Those last ones correspond to some new CVEs, so I'm going to add the patches attached here and push this back to QA:
https://bugzilla.redhat.com/show_bug.cgi?id=1227243#c14
https://bugzilla.redhat.com/show_bug.cgi?id=1227243#c15

Keywords: NEEDINFO => (none)
Whiteboard: MGA4TOO => MGA4TOO feedback

Comment 9 David Walser 2015-06-27 17:56:50 CEST
Patches for CVE-2015-469[56] now added.

Advisory:
========================

Updated libwmf packages fix security vulnerabilities:

It was discovered that libwmf did not correctly process certain WMF (Windows
Metafiles) containing BMP images. By tricking a victim into opening a
specially crafted WMF file in an application using libwmf, a remote attacker
could possibly use this flaw to execute arbitrary code with the privileges of
the user running the application (CVE-2015-0848, CVE-2015-4588).

Two out of bounds reads in libwmf were also discovered, one in the
meta_pen_create() function in player/meta.h (CVE-2015-4695) and one in
wmf2gd.c and wmf2eps.c (CVE-2015-4696).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0848
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4588
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4595
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4596
https://lists.fedoraproject.org/pipermail/package-announce/2015-June/160668.html
http://openwall.com/lists/oss-security/2015/06/21/3
========================

Updated packages in core/updates_testing:
========================
libwmf-0.2.8.4-30.2.mga4
libwmf0.2_7-0.2.8.4-30.2.mga4
libwmf-devel-0.2.8.4-30.2.mga4
libwmf-0.2.8.4-32.2.mga5
libwmf0.2_7-0.2.8.4-32.2.mga5
libwmf-devel-0.2.8.4-32.2.mga5

from SRPMS:
libwmf-0.2.8.4-30.2.mga4.src.rpm
libwmf-0.2.8.4-32.2.mga5.src.rpm

Summary: libwmf new security issues CVE-2015-0848 and CVE-2015-4588 => libwmf new security issues CVE-2015-0848, CVE-2015-4588, and CVE-2015-469[56]
Whiteboard: MGA4TOO feedback => MGA4TOO

Comment 10 David Walser 2015-06-27 17:57:03 CEST
*** Bug 16167 has been marked as a duplicate of this bug. ***
Comment 11 Herman Viaene 2015-06-29 14:57:44 CEST
MGA5-64 on HP Probook 6555b KDE.
No installation issues.
Using test file from Comment 7 I get at the CLI:
> gimp tiger.wmf
ERROR: meta.c (179): wmf_header_read: this isn't a wmf file

(file-wmf:30464): Gtk-CRITICAL **: IA__gtk_widget_set_size_request: assertion 'width >= -1' failed
ERROR: meta.c (179): wmf_header_read: this isn't a wmf file

(file-wmf:30464): LibGimpWidgets-CRITICAL **: gimp_preview_area_draw: assertion 'buf != NULL' failed
ERROR: meta.c (179): wmf_header_read: this isn't a wmf file
Comment 12 David Walser 2015-06-29 22:37:38 CEST
LWN reference for CVE-2015-4695 and CVE-2015-4696:
http://lwn.net/Vulnerabilities/649712/
Comment 13 David Walser 2015-06-29 22:38:15 CEST
(In reply to Herman Viaene from comment #11)
> MGA5-64 on HP Probook 6555b KDE.
> No installation issues.
> Using test file from Comment 7 I get at the CLI:
> > gimp tiger.wmf

Note that some of my links in Comment 8 showed how to test a wmf file using command-line tools, rather than the GIMP.
Dave Hodgins 2015-07-01 23:06:51 CEST

CC: (none) => davidwhodgins
Whiteboard: MGA4TOO => MGA4TOO advisory

Comment 14 David Walser 2015-07-04 18:16:13 CEST
Installed the libwmf package.

gunzip'd the file attached here:
http://seclists.org/oss-sec/2015/q2/597

Before the update:
$ wmf2svg bmpoverflow_wmf > foo.svg
*** Error in `wmf2svg': malloc(): memory corruption: 0x09ecc330 *** (Mageia 4)
*** Error in `wmf2svg': malloc(): memory corruption: 0x095662d8 *** (Mageia 5)

it also hung and I had to kill it.  After the update:
$ wmf2svg bmpoverflow_wmf > foo.svg
ERROR: ../../src/ipa/ipa/bmp.h (1169): Unexpected pixel depth

and no hang.

Ran wmf2gd and wmf2eps on the examples/cell.wmf file from the libwmf source tarball and got no errors before or after the update.

Ran wmf2svg on the two wmf files in the tarball attached to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784205 and before and after the update I get ERROR: player/meta.h (line-number): Object out of range! with various different line numbers.

Whiteboard: MGA4TOO advisory => MGA4TOO advisory MGA4-32-OK MGA5-32-OK

Comment 15 Dave Hodgins 2015-07-04 18:56:43 CEST
Someone from the sysadmin team please push 16127.adv to updates

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 16 Mageia Robot 2015-07-05 19:23:29 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0261.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.