Two issues in libwmf have been reported and assigned CVEs: http://seclists.org/oss-sec/2015/q2/597 http://seclists.org/oss-sec/2015/q2/719 https://bugzilla.redhat.com/show_bug.cgi?id=1227243 Mageia 4 and Mageia 5 are affected. Patch added in Mageia 4 and Cauldron SVN, but it will have to be added in Mageia 5 SVN as well after it's branched. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron. Advisory: ======================== Updated libwmf packages fix security vulnerabilities: It was discovered that libwmf did not correctly process certain WMF (Windows Metafiles) containing BMP images. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the application (CVE-2015-0848, CVE-2015-4588). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0848 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4588 http://seclists.org/oss-sec/2015/q2/597 http://seclists.org/oss-sec/2015/q2/719 https://bugzilla.redhat.com/show_bug.cgi?id=1227243 ======================== Updated packages in core/updates_testing: ======================== libwmf-0.2.8.4-30.1.mga4 libwmf0.2_7-0.2.8.4-30.1.mga4 libwmf-devel-0.2.8.4-30.1.mga4 libwmf-0.2.8.4-32.1.mga5 libwmf0.2_7-0.2.8.4-32.1.mga5 libwmf-devel-0.2.8.4-32.1.mga5 from SRPMS: libwmf-0.2.8.4-30.1.mga4.src.rpm libwmf-0.2.8.4-32.1.mga5.src.rpm
Version: Cauldron => 5Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO
Assignee: bugsquad => qa-bugs
There are lib64 packages for libwmf0.2_7-0.2.8.4-30.1.mga4 and libwmf0.2_7-0.2.8.4-30.1.mga4, but not for libwmf-0.2.8.4-30.1.mga4. Is that OK????
CC: (none) => herman.viaene
It's ok that would be typo i think as it have older version number.
CC: (none) => ozkyster
No there's no typo. Library packages are always lib{name}{number}. If the name ends with a number itself, there's an underscore between the name and number. Devel packages are lib{name}-devel. Only library packages and devel packages have lib64 equivalents on x86_64. So in this case, libwmf0.2_7 is a library package, libwmf-devel is a devel package, and libwmf is not a library package, so only the first two have lib64, the third one is called libwmf also on x86_64.
Fedora has issued an advisory for this on June 9: https://lists.fedoraproject.org/pipermail/package-announce/2015-June/160668.html Advisory: ======================== Updated libwmf packages fix security vulnerabilities: It was discovered that libwmf did not correctly process certain WMF (Windows Metafiles) containing BMP images. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the application (CVE-2015-0848, CVE-2015-4588). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0848 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4588 https://lists.fedoraproject.org/pipermail/package-announce/2015-June/160668.html
URL: (none) => http://lwn.net/Vulnerabilities/649228/
My test procedure for this (done on an i586 VM) was to install gimp, download this file: https://github.com/finwe/mpdf/blob/master/examples/tiger.wmf And run "gimp tiger.wmf" to see that it opens fine? Is this enough? Marking as NEEDINFO.
Keywords: (none) => NEEDINFOCC: (none) => shlomif
There is a PoC here: http://seclists.org/oss-sec/2015/q2/597 There are also more wmf files to try mentioned in these bugs (one apparently ships with libwmf and is mentioned in the first bug, the others are attached to the second): https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784192 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784205 Those last ones correspond to some new CVEs, so I'm going to add the patches attached here and push this back to QA: https://bugzilla.redhat.com/show_bug.cgi?id=1227243#c14 https://bugzilla.redhat.com/show_bug.cgi?id=1227243#c15
Keywords: NEEDINFO => (none)Whiteboard: MGA4TOO => MGA4TOO feedback
Patches for CVE-2015-469[56] now added. Advisory: ======================== Updated libwmf packages fix security vulnerabilities: It was discovered that libwmf did not correctly process certain WMF (Windows Metafiles) containing BMP images. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the application (CVE-2015-0848, CVE-2015-4588). Two out of bounds reads in libwmf were also discovered, one in the meta_pen_create() function in player/meta.h (CVE-2015-4695) and one in wmf2gd.c and wmf2eps.c (CVE-2015-4696). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0848 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4588 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4595 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4596 https://lists.fedoraproject.org/pipermail/package-announce/2015-June/160668.html http://openwall.com/lists/oss-security/2015/06/21/3 ======================== Updated packages in core/updates_testing: ======================== libwmf-0.2.8.4-30.2.mga4 libwmf0.2_7-0.2.8.4-30.2.mga4 libwmf-devel-0.2.8.4-30.2.mga4 libwmf-0.2.8.4-32.2.mga5 libwmf0.2_7-0.2.8.4-32.2.mga5 libwmf-devel-0.2.8.4-32.2.mga5 from SRPMS: libwmf-0.2.8.4-30.2.mga4.src.rpm libwmf-0.2.8.4-32.2.mga5.src.rpm
Summary: libwmf new security issues CVE-2015-0848 and CVE-2015-4588 => libwmf new security issues CVE-2015-0848, CVE-2015-4588, and CVE-2015-469[56]Whiteboard: MGA4TOO feedback => MGA4TOO
*** Bug 16167 has been marked as a duplicate of this bug. ***
MGA5-64 on HP Probook 6555b KDE. No installation issues. Using test file from Comment 7 I get at the CLI: > gimp tiger.wmf ERROR: meta.c (179): wmf_header_read: this isn't a wmf file (file-wmf:30464): Gtk-CRITICAL **: IA__gtk_widget_set_size_request: assertion 'width >= -1' failed ERROR: meta.c (179): wmf_header_read: this isn't a wmf file (file-wmf:30464): LibGimpWidgets-CRITICAL **: gimp_preview_area_draw: assertion 'buf != NULL' failed ERROR: meta.c (179): wmf_header_read: this isn't a wmf file
LWN reference for CVE-2015-4695 and CVE-2015-4696: http://lwn.net/Vulnerabilities/649712/
(In reply to Herman Viaene from comment #11) > MGA5-64 on HP Probook 6555b KDE. > No installation issues. > Using test file from Comment 7 I get at the CLI: > > gimp tiger.wmf Note that some of my links in Comment 8 showed how to test a wmf file using command-line tools, rather than the GIMP.
CC: (none) => davidwhodginsWhiteboard: MGA4TOO => MGA4TOO advisory
Installed the libwmf package. gunzip'd the file attached here: http://seclists.org/oss-sec/2015/q2/597 Before the update: $ wmf2svg bmpoverflow_wmf > foo.svg *** Error in `wmf2svg': malloc(): memory corruption: 0x09ecc330 *** (Mageia 4) *** Error in `wmf2svg': malloc(): memory corruption: 0x095662d8 *** (Mageia 5) it also hung and I had to kill it. After the update: $ wmf2svg bmpoverflow_wmf > foo.svg ERROR: ../../src/ipa/ipa/bmp.h (1169): Unexpected pixel depth and no hang. Ran wmf2gd and wmf2eps on the examples/cell.wmf file from the libwmf source tarball and got no errors before or after the update. Ran wmf2svg on the two wmf files in the tarball attached to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784205 and before and after the update I get ERROR: player/meta.h (line-number): Object out of range! with various different line numbers.
Whiteboard: MGA4TOO advisory => MGA4TOO advisory MGA4-32-OK MGA5-32-OK
Someone from the sysadmin team please push 16127.adv to updates
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0261.html
Status: NEW => RESOLVEDResolution: (none) => FIXED