ports/134246: [patch] [vuxml] graphics/libwmf: document and fix two remote code execution vulnerabilities
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Tue May 5 21:10:06 UTC 2009
>Number: 134246
>Category: ports
>Synopsis: [patch] [vuxml] graphics/libwmf: document and fix two remote code execution vulnerabilities
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue May 05 21:10:03 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Eygene Ryabinkin
>Release: FreeBSD 8.0-CURRENT amd64
>Organization:
Code Labs
>Environment:
System: FreeBSD 8.0-CURRENT amd64
>Description:
Two vulnerabilities (at least) are present in the current FreeBSD's
port graphics/libwmf: [1], [2].
>How-To-Repeat:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1364
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3376
>Fix:
The following patch fixes both vulnerabilites in the FreeBSD port:
--- libwmf.diff begins here ---
>From 1ac505a89ecb6276374b1c39dc52579368fb97b0 Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
Date: Wed, 6 May 2009 00:37:31 +0400
Patches were taken from Ubuntu's builds of libwmf,
http://security.ubuntu.com/ubuntu/pool/main/libw/libwmf/libwmf_0.2.8.3-3.1ubuntu0.2.diff.gz
Signed-off-by: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
---
graphics/libwmf/Makefile | 2 +-
graphics/libwmf/files/patch-cve-2006-3376 | 30 +++++++++++++++++++++++++++++
graphics/libwmf/files/patch-cve-2009-1364 | 14 +++++++++++++
3 files changed, 45 insertions(+), 1 deletions(-)
create mode 100644 graphics/libwmf/files/patch-cve-2006-3376
create mode 100644 graphics/libwmf/files/patch-cve-2009-1364
diff --git a/graphics/libwmf/Makefile b/graphics/libwmf/Makefile
index 16f6774..3be48d0 100644
--- a/graphics/libwmf/Makefile
+++ b/graphics/libwmf/Makefile
@@ -7,7 +7,7 @@
PORTNAME= libwmf
PORTVERSION= 0.2.8.4
-PORTREVISION= 2
+PORTREVISION= 3
CATEGORIES= graphics
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= wvware
diff --git a/graphics/libwmf/files/patch-cve-2006-3376 b/graphics/libwmf/files/patch-cve-2006-3376
new file mode 100644
index 0000000..75c0b90
--- /dev/null
+++ b/graphics/libwmf/files/patch-cve-2006-3376
@@ -0,0 +1,30 @@
+Fix for CVE-2006-3376.
+
+Obtained from: Ubuntu
+--- src/player.c
++++ src/player.c
+@@ -23,6 +23,7 @@
+
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <stdint.h>
+ #include <string.h>
+ #include <math.h>
+
+@@ -132,8 +133,14 @@
+ }
+ }
+
+-/* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char));
+- */ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
++ if (MAX_REC_SIZE(API) > UINT32_MAX / 2)
++ {
++ API->err = wmf_E_InsMem;
++ WMF_DEBUG (API,"bailing...");
++ return (API->err);
++ }
++
++ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
+
+ if (ERR (API))
+ { WMF_DEBUG (API,"bailing...");
diff --git a/graphics/libwmf/files/patch-cve-2009-1364 b/graphics/libwmf/files/patch-cve-2009-1364
new file mode 100644
index 0000000..dfce754
--- /dev/null
+++ b/graphics/libwmf/files/patch-cve-2009-1364
@@ -0,0 +1,14 @@
+Patch for CVE-2009-1364
+
+Obtained from: Ubuntu
+
+--- src/extra/gd/gd_clip.c
++++ src/extra/gd/gd_clip.c
+@@ -70,6 +70,7 @@
+ { more = gdRealloc (im->clip->list,(im->clip->max + 8) * sizeof (gdClipRectangle));
+ if (more == 0) return;
+ im->clip->max += 8;
++ im->clip->list = more;
+ }
+ im->clip->list[im->clip->count] = (*rect);
+ im->clip->count++;
--
1.6.2.5
--- libwmf.diff ends here ---
The following VuXML entries should be evaluated and added:
--- vuln-1.xml begins here ---
<vuln vid="8dba4ad9-39b3-11de-a493-001b77d09812">
<topic>libwmf -- Denial of Service and possible remote code execution</topic>
<affects>
<package>
<name>libwmf</name>
<range><lt>0.2.8.4_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SecurityFocus reports:</p>
<blockquote
cite="http://www.securityfocus.com/bid/34792/discuss">
<p>The 'libwmf' library is prone to a buffer-overflow
vulnerability because the vector graphics linked library
improperly allocates memory when parsing WMF image files.</p>
<p>Successfully exploiting this issue would allow an attacker
to corrupt memory and execute arbitrary code in the context of
the currently logged-in user.</p>
</blockquote>
</body>
</description>
<references>
<cvename></cvename>
<bid>34792</bid>
<url>http://secunia.com/advisories/34901/</url>
</references>
<dates>
<discovery>2009-05-05</discovery>
<entry>TODAY</entry>
</dates>
</vuln>
--- vuln-1.xml ends here ---
--- vuln-2.xml begins here ---
<vuln vid="ad1cca02-39b2-11de-a493-001b77d09812">
<topic>libwmf -- heap overflow and arbitrary code execution</topic>
<affects>
<package>
<name>libwmf</name>
<range><lt>0.2.8.4_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote
cite="http://secunia.com/advisories/20921">
<p>infamous41md has reported a vulnerability in libwmf, which
potentially can be exploited by malicious people to compromise
an application using the vulnerable library.</p>
<p>The vulnerability is caused due to an integer overflow
error when allocating memory based on a value taken directly
from a WMF file without performing any checks. This can be
exploited to cause a heap-based buffer overflow when a
specially crafted WMF file is processed.</p>
<p>Successful exploitation may allow execution of arbitrary
code.</p>
</blockquote>
<p>SecurityFocus additionally reports:</p>
<blockquote
cite="http://www.securityfocus.com/bid/18751/discuss">
<p>Failed exploit attempts will likely cause denial-of-service
conditions.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2006-3376</cvename>
<bid>18751</bid>
<url>http://secunia.com/advisories/20921</url>
</references>
<dates>
<discovery>2006-08-10</discovery>
<entry>TODAY</entry>
</dates>
</vuln>
--- vuln-2.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list