Bug 24344 - libwmf new security issue CVE-2019-6978
Summary: libwmf new security issue CVE-2019-6978
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-02-11 01:35 CET by David Walser
Modified: 2019-02-14 09:40 CET (History)
6 users (show)

See Also:
Source RPM: libwmf-0.2.8.4-37.1.mga6.src.rpm
CVE: CVE-2019-6978
Status comment:


Attachments
sample wmf file (66.57 KB, image/wmf)
2019-02-13 15:19 CET, Herman Viaene
Details
December calendar display (17.34 KB, application/octet-stream)
2019-02-13 20:33 CET, Len Lawrence
Details

Description David Walser 2019-02-11 01:35:44 CET
Fedora has issued an advisory today (February 10):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/L32G56HKBVCM2HEZASWDWDWEXQTBWNZP/

This is a libgd issue (Bug 24336) due to the bundled gd code in libwmf.

The libgd patch (adjusted for file paths) doesn't apply, so perhaps we should just update it (as I've done in Cauldron) to 0.2.12, which fixes this.
David Walser 2019-02-11 01:35:57 CET

CC: (none) => nicolas.salguero

Comment 1 Marja Van Waes 2019-02-12 08:25:58 CET
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2019-02-13 09:14:45 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

The GD Graphics Library (aka LibGD) 2.2.5 has a double free in the gdImage*Ptr() functions in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c. NOTE: PHP is unaffected. (CVE-2019-6978)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6978
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/L32G56HKBVCM2HEZASWDWDWEXQTBWNZP/
========================

Updated packages in core/updates_testing:
========================
libwmf-0.2.12-1.mga6
lib(64)wmf0.2_7-0.2.12-1.mga6
lib(64)wmf-devel-0.2.12-1.mga6

from SRPMS:
libwmf-0.2.12-1.mga6.src.rpm

Status: NEW => ASSIGNED
CVE: (none) => CVE-2019-6978
Assignee: pkg-bugs => qa-bugs

Comment 3 Len Lawrence 2019-02-13 12:50:47 CET
Re comment #0
Checked libwmf using 'urpmq --requires-recursive' to confirm David's statement regarding the libgd patch.  No dependency on libgd so a clean update should suffice.

However, since it is an update there is no harm in trying out graphicsmagick or imagemagick with the new libwmf.  Need to find an operation that exercizes it.  Later.

CC: (none) => tarazed25

Comment 4 Herman Viaene 2019-02-13 15:19:11 CET
MGA6-32 MATE on IBM Thinkpad  R50e
No installation issues.
Found a wmf sample file at https://www.armsandbadges.com/sample.htm (I will upload it here). This file opens nicely in LibreOffice Draw.
libwmf has executables wmf2eps  wmf2fig  wmf2gd   wmf2svg  wmf2x
Tried a few of them on the sample file, but all fail the same:
]$ wmf2svg sample.wmf 
ERROR: font.c (1339): wmf_ipa_font_map: failed to load *any* font!
I will try to find some info on this.

CC: (none) => herman.viaene

Comment 5 Herman Viaene 2019-02-13 15:19:55 CET
Created attachment 10739 [details]
sample wmf file
Comment 6 Herman Viaene 2019-02-13 15:37:21 CET
Found ref to this error in https://github.com/kakwa/libvisio2svg/issues/25 and it points to a debian package gsfonts, which does not seem to exist in our rpm-family.
Googling on "gsfonts fedora" gave me refs to packages ghostscript-fonts and urw-fonts, but both are installed already on this laptop.
Giving up for now.
If Len decides to let go on clean install, I won't object.
Comment 7 Len Lawrence 2019-02-13 20:26:23 CET
Thanks Herman.  Just found some sample WMF files in my qa directories - don't know where they came from but they look OK with ImageMagick display.
$ wmf2svg 30MMGUN.WMF > gun.svg
That worked and the output file looks fine as an image.

Tried your sample file and that did not complain.
$ wmf2eps sample.wmf > sample.ps
In gs sample.ps displays as a somewhat sketchy version of the crown image displayed by libreoffice draw.  It certainly looks like encapsulated postscript.
$ head sample.ps
%!PS-Adobe-2.0 EPSF-2.0
%%BoundingBox:  0 0 1025 1025
save
gsave
0 1025 translate
1 -1 scale
0.038000 0.038000 translate
1.000902 1.000902 scale
gsave % begin clip
gsave % wmf_[eps_]draw_polygon

The reference to fonts  with respect to sample.wmf is  puzzling - it is hard to see how font rendering can be involved with a pictorial image like that.  Not even the postscript file refers to any fonts.
$ cat sample.ps | grep -i font
Ghostscript fonts are installed here also, close to 100 of them.
$ locate -i fontmap | grep ghostscript
/usr/share/fonts/default/ghostscript/Fontmap
/usr/share/fonts/default/ghostscript/Fontmap.bak
/usr/share/ghostscript/9.26/Resource/Init/FAPIfontmap
/usr/share/ghostscript/9.26/Resource/Init/FCOfontmap-PCLPS2
/usr/share/ghostscript/9.26/Resource/Init/Fontmap
/usr/share/ghostscript/9.26/Resource/Init/Fontmap.GS

One of life's little mysteries.  Thanks for trying.  It would be good to find an explanation though.
Anyway, my various sample files behave when processed by the WMF utiliies so it deserves a 64-bit pass.
Attaching one of my samples.

Whiteboard: (none) => MGA6-64-OK

Comment 8 Len Lawrence 2019-02-13 20:33:56 CET
Created attachment 10744 [details]
December calendar display

$ file D20862.WMF 
D20862.WMF: ms-windows metafont .wmf
Dave Hodgins 2019-02-14 07:08:54 CET

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 9 Mageia Robot 2019-02-14 09:40:29 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0085.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.