Debian-LTS has issued an advisory today (November 2): http://lwn.net/Alerts/705328/ According to the Debian bug, a patch is available from Fedora: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842090
Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
Done for Mga5 and Cauldron. Suggested advisory: ======================== The updated packages fix a security vulnerability: Memory allocation failure in wmf_malloc (api.c) (CVE-2016-9011). References: http://lwn.net/Alerts/705328/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9011 ======================== Updated packages in core/updates_testing: ======================== i586: libwmf-0.2.8.4-32.3.mga5.i586.rpm libwmf0.2_7-0.2.8.4-32.3.mga5.i586.rpm libwmf-devel-0.2.8.4-32.3.mga5.i586.rpm x86_64: libwmf-0.2.8.4-32.3.mga5.x86_64.rpm lib64wmf0.2_7-0.2.8.4-32.3.mga5.x86_64.rpm lib64wmf-devel-0.2.8.4-32.3.mga5.x86_64.rpm Source RPMs: libwmf-0.2.8.4-32.3.mga5.src.rpm
Status: NEW => ASSIGNEDCC: (none) => nicolas.salgueroVersion: Cauldron => 5Assignee: pkg-bugs => qa-bugsSource RPM: libwmf-0.2.8.4-35.mga6.src.rpm => libwmf-0.2.8.4-32.2.mga5.src.rpmWhiteboard: MGA5TOO => (none)
MGA5-32 on Acer D620 Xfce No installation issues Tried to open the bug1.wmf as per references in bug16127 with at CLI $ strace -o ~/Documenten/libwmf.txt gimp bug1.wmf ERROR: player/meta.h (3190): Object out of range! (file-wmf:19736): Gtk-CRITICAL **: IA__gtk_widget_set_size_request: assertion 'width >= -1' failed ERROR: player/meta.h (3190): Object out of range! (file-wmf:19736): LibGimpWidgets-CRITICAL **: gimp_preview_area_draw: assertion 'buf != NULL' failed ERROR: player/meta.h (3190): Object out of range! The libwmf.txt is 6.5Mb and does not show a ref to libwmf
CC: (none) => herman.viaene
Trying to get a handle on this on x86_64 hardware. These sites supply some sample WMF files: https://www.thistlegirldesigns.com/wmfinfo.htm www.armsandbadges.com/sample.htm http://cd.textfiles.com/10000gp2/COLORWMF/ A digression, harking back to bug 2546, just out of curiosity: CVE-2015-0848 $ wmf2svg --wmf-fontdir=/usr/share/fonts/Type1 bmpoverflow.wmf > test.svg ERROR: ../../src/ipa/ipa/bmp.h (1169): Unexpected pixel depth which was the result before. test.svg displayed OK. It showed something called Metafile Companion Test Chart and included text in different fonts and coloured symbols. Files from fuzzed.tar.wz also gave the same result as in the earlier bug. $ wmf2x bug1.wmf ERROR: player/meta.h (3188): Object out of range! $ wmf2x bug2.wmf ERROR: player/meta.h (3295): Object out of range! OK, back to CVE-2016-9011. So far no PoC has turned up so maybe all we can do is run a few samples past the tools.
CC: (none) => tarazed25
All valid images displayed OK before the update, using wmf2x. $ wmf2eps --ps -o sample.ps sample.wmf $ gs sample.ps PostScript file displays fine via ghostscript. Other file conversions work OK as well. $ wmf2gd -t jpeg -o thistlegirl.jpg thistlegirl_wmfsample.wmf $ wmf2gd -o thistlegirl.png thistlegirl_wmfsample.wmf $ identify sample.wmf sample.wmf WMF 578x487 578x487+0+0 16-bit sRGB 68.2KB 0.000u 0:00.009 $ wmf2gd -t jpeg -o sample --maxwidth=200 --maxheight=160 sample.wmf $ identify sample sample JPEG 189x160 189x160+0+0 8-bit sRGB 14.4KB 0.000u 0:00.000 $ wmf2fig -o sample_Xfig.eps sample.wmf produces a metafile with text data of this kind: #FIG 3.2 Portrait Center Metric A4 100.0 Single -2 1200 2 # Title: sample.wmf # Creator: wmf2fig # Date: Fri Nov 4 22:39:13 2016 0 32 #cc0000 0 33 #f4c316 0 34 #990000 0 35 #171412 0 36 #008b01 # wmf_[fig_]draw_polygon 2 3 0 1 0 33 998 0 20 5.000000 1 1 5 0 0 195 5107 4890 5098 4886 ..... That looks OK. $ wmf2svg -z -o sample.svgz sample.wmf [lcl@vega libwmf]$ file sample.svgz sample.svgz: gzip compressed data, max compression, from Unix Shall run the same tests after updating libwmf.
Installed the updates and used the same set of images to test the basic tools. The postscript conversion was not perfect either before or after the tests but there is nothing to indicate that this is associated with the current bug. The only difference between the contents of the before and after files is between the internal time stamps. Both before and afterwards the wmf2gd conversions produce artefacts in JPEG output images, a few speckles, not apparent for PNG. Note this: $ wmf2svg -z -o sample2.svgz sample.wmf $ file sample2.svgz sample2.svgz: gzip compressed data, max compression, from Unix $ gunzip sample2.svgz gzip: sample2.svgz: unknown suffix -- ignored $ cp sample2.svgz sample2.svg.gz $ gunzip sample2.svg.gz That produced sample2.svg which displayed exactly the same image as sample.wmf. wmf2x displayed all the WMF files correctly.
Whiteboard: (none) => MGA5-64-OK
@herman Could you test sample.wmf on i586? I am reluctant to add it as an attachment because it was provided as a free sample at http://www.armsandbadges.com/sample.htm Go to that site and click on the 'Download sample' link. If you click on the crown image all you get is a PNG file. libwmf supplies the tools which all have --help options: /usr/bin/wmf2eps /usr/bin/wmf2gd /usr/bin/wmf2x /usr/bin/wmf2fig /usr/bin/wmf2svg Thanks.
Created attachment 8624 [details] converted from sample.wmf
I did the conversion by wmf2eps --auto sample.wmf The result is far from convincing, a lot of graphical elements are missing. But I get the same result from the previous libwmf version.
Advisory uploaded.
CC: (none) => lewyssmithWhiteboard: MGA5-64-OK => MGA5-64-OK advisory
Installed the updates on i586 in virtualbox. Ran the tests of the wmf tools as listed in comments 5 and 6. All worked as before except that using thistlegirl.wmf for the encapsulated postscript conversion produced thistlegirl.eps which displayed via ghostscript without any missing graphical elements although the image was clipped to A4 size so some of it could not be displayed. It would have fitted comfortably on A3. wmf to jpeg conversion again produced speckles in the output image. $ wmf2svg -z -o sample2.svg.gz sample.wmf $ ls -l *.gz -rw-r--r-- 1 lcl lcl 152142 Nov 12 00:02 sample2.svg.gz $ gunzip sample2.svg.gz $ file sample2.svg sample2.svg: SVG Scalable Vector Graphics image The displayed svg image is a perfect copy of sample.wmf. This update can be validated.
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK advisory => MGA5-64-OK advisory MGA5-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0376.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED