Debian Bug report logs - #526434
CVE-2009-1364 libwmf: embedded gd use-after-free error

version graph

Package: libwmf; Maintainer for libwmf is Loïc Minier <lool@debian.org>;

Reported by: Giuseppe Iuculano <giuseppe@iuculano.it>

Date: Fri, 1 May 2009 08:21:04 UTC

Severity: serious

Tags: patch, security

Found in version 0.2.8.4-6

Fixed in versions libwmf/0.2.8.4-6.1, libwmf/0.2.8.4-6+lenny1

Done: Nico Golde <nion@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Loic Minier <lool@dooz.org>:
Bug#526434; Package libwmf. (Fri, 01 May 2009 08:21:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Loic Minier <lool@dooz.org>. (Fri, 01 May 2009 08:21:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2009-1364 libwmf: embedded gd use-after-free error
Date: Fri, 01 May 2009 10:18:57 +0200
[Message part 1 (text/plain, inline)]
Package: libwmf
Version: 0.2.8.4-6
Severity: serious
Tags: security patch

Hi,

redhat recently patched libwmf.

CVE-2009-1364 is still reserved, but is disclosed in RHSA-2009:0457-1[0]

A pointer use-after-free flaw was found in the GD graphics library embedded
in libwmf. An attacker could create a specially-crafted WMF file that would
cause an application using libwmf to crash or, potentially, execute
arbitrary code as the user running the application when opened by a victim.
(CVE-2009-1364)

Note: This flaw is specific to the GD graphics library embedded in libwmf.
It does not affect the GD graphics library from the "gd" packages, or
applications using it.


Attached the trivial patch to fix this issue, but probably libwmf should not use
embedded gd, system gd should be used instead.




[0]http://rhn.redhat.com/errata/RHSA-2009-0457.html

Cheers,
Giuseppe.
[CVE-2009-1364.patch (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Loic Minier <lool@dooz.org>:
Bug#526434; Package libwmf. (Wed, 06 May 2009 07:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Extra info received and forwarded to list. Copy sent to Loic Minier <lool@dooz.org>. (Wed, 06 May 2009 07:42:03 GMT) Full text and rfc822 format available.

Message #10 received at 526434@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: team@security.debian.org
Cc: 526434@bugs.debian.org
Subject: libwmf: proposed debdiff to fix CVE-2009-1364
Date: Wed, 06 May 2009 09:41:14 +0200
[Message part 1 (text/plain, inline)]
Hi,

I've prepared a NMU to fix CVE-2009-1364 in oldstable, stables, and unstable.

Proposed trivial debdiffs in attachment.

Cheers,
Giuseppe.
[libwmf_0.2.8.4-2+etch1.debdiff (text/plain, attachment)]
[libwmf_0.2.8.4-6.1.debdiff (text/plain, attachment)]
[libwmf_0.2.8.4-6+lenny1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Loic Minier <lool@dooz.org>:
Bug#526434; Package libwmf. (Wed, 06 May 2009 12:24:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Loic Minier <lool@dooz.org>. (Wed, 06 May 2009 12:24:05 GMT) Full text and rfc822 format available.

Message #15 received at 526434@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Giuseppe Iuculano <giuseppe@iuculano.it>
Cc: team@security.debian.org, 526434@bugs.debian.org
Subject: Re: libwmf: proposed debdiff to fix CVE-2009-1364
Date: Wed, 6 May 2009 14:19:14 +0200
[Message part 1 (text/plain, inline)]
Hi,
* Giuseppe Iuculano <giuseppe@iuculano.it> [2009-05-06 13:14]:
> I've prepared a NMU to fix CVE-2009-1364 in oldstable, stables, and unstable.
> 
> Proposed trivial debdiffs in attachment.

No need for stable, I already prepared fixed packages. For 
unstable I'm gping to sponsor your NMU now.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
You have taken responsibility. (Wed, 06 May 2009 13:03:06 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Wed, 06 May 2009 13:03:06 GMT) Full text and rfc822 format available.

Message #20 received at 526434-close@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: 526434-close@bugs.debian.org
Subject: Bug#526434: fixed in libwmf 0.2.8.4-6.1
Date: Wed, 06 May 2009 12:32:08 +0000
Source: libwmf
Source-Version: 0.2.8.4-6.1

We believe that the bug you reported is fixed in the latest version of
libwmf, which is due to be installed in the Debian FTP archive:

libwmf-bin_0.2.8.4-6.1_amd64.deb
  to pool/main/libw/libwmf/libwmf-bin_0.2.8.4-6.1_amd64.deb
libwmf-dev_0.2.8.4-6.1_amd64.deb
  to pool/main/libw/libwmf/libwmf-dev_0.2.8.4-6.1_amd64.deb
libwmf-doc_0.2.8.4-6.1_all.deb
  to pool/main/libw/libwmf/libwmf-doc_0.2.8.4-6.1_all.deb
libwmf0.2-7_0.2.8.4-6.1_amd64.deb
  to pool/main/libw/libwmf/libwmf0.2-7_0.2.8.4-6.1_amd64.deb
libwmf_0.2.8.4-6.1.diff.gz
  to pool/main/libw/libwmf/libwmf_0.2.8.4-6.1.diff.gz
libwmf_0.2.8.4-6.1.dsc
  to pool/main/libw/libwmf/libwmf_0.2.8.4-6.1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 526434@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <giuseppe@iuculano.it> (supplier of updated libwmf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 06 May 2009 09:19:49 +0200
Source: libwmf
Binary: libwmf0.2-7 libwmf-bin libwmf-dev libwmf-doc
Architecture: source amd64 all
Version: 0.2.8.4-6.1
Distribution: unstable
Urgency: high
Maintainer: Loic Minier <lool@dooz.org>
Changed-By: Giuseppe Iuculano <giuseppe@iuculano.it>
Description: 
 libwmf-bin - Windows metafile conversion tools
 libwmf-dev - Windows metafile conversion development
 libwmf-doc - Windows metafile documentation
 libwmf0.2-7 - Windows metafile conversion library
Closes: 526434
Changes: 
 libwmf (0.2.8.4-6.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Fixed Use-after-free vulnerability in the embedded GD library
     (Closes: #526434) (CVE-2009-1364)
Checksums-Sha1: 
 56391729e4e628f0010f351ee717b0ef012bcf9d 1175 libwmf_0.2.8.4-6.1.dsc
 39d959e88f976ed704a966b0d9591e0c0ffa54f1 7853 libwmf_0.2.8.4-6.1.diff.gz
 fec690ed2b465861709feb16e2010b6000c256f2 186392 libwmf0.2-7_0.2.8.4-6.1_amd64.deb
 fea814e6d08a65e25c4fa550284c5c32024259b5 19048 libwmf-bin_0.2.8.4-6.1_amd64.deb
 7e204d9bb9e5bb2dc605fa6824b0c2e91c4f5fd0 210720 libwmf-dev_0.2.8.4-6.1_amd64.deb
 9a01f104b6025cdb21a9b74a8d63a91bfeacef6b 285956 libwmf-doc_0.2.8.4-6.1_all.deb
Checksums-Sha256: 
 8aa66067ec33aefbc53994ac5e6f8ca16583c8acb88e7b3579539fc975477f3a 1175 libwmf_0.2.8.4-6.1.dsc
 7cedf0a0dc25dc6586c9d3ac30e95512056e6d00636c14ec865a309eeee42ec9 7853 libwmf_0.2.8.4-6.1.diff.gz
 09c5fa458628e4dd892fc05a53bc13f8b7383009916620e08ee947275e7e2fd5 186392 libwmf0.2-7_0.2.8.4-6.1_amd64.deb
 6c758c8cefec6ce8c55ecdc7f17e33c5c4b928c60f10e7db20dc1c030df43c7d 19048 libwmf-bin_0.2.8.4-6.1_amd64.deb
 b085c0a0b4f00965a101e3526f0ee534e74c608b3abec2dda71fb497aea35731 210720 libwmf-dev_0.2.8.4-6.1_amd64.deb
 6e10c7077cbdc09a5192e2a44e92c76d87fd676aec27ca68b6379053b4d3f717 285956 libwmf-doc_0.2.8.4-6.1_all.deb
Files: 
 36f886ec765b92e8498e6c1f597dda51 1175 libs optional libwmf_0.2.8.4-6.1.dsc
 148c2791f1fd89991c3354bf89e847fc 7853 libs optional libwmf_0.2.8.4-6.1.diff.gz
 0cbee925c5397ec10a41e31cc5c28cbd 186392 libs optional libwmf0.2-7_0.2.8.4-6.1_amd64.deb
 1caa89daebf5d8eb68cbb24d1d706874 19048 graphics optional libwmf-bin_0.2.8.4-6.1_amd64.deb
 d7f32f0d7a42c7fbec6aca9309b469e6 210720 libdevel optional libwmf-dev_0.2.8.4-6.1_amd64.deb
 6d4c151ae43eb25635a23339776789e3 285956 doc optional libwmf-doc_0.2.8.4-6.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkoBgaQACgkQHYflSXNkfP//SwCbBddMFob+LLrVMptGwN5/mwBy
LB8AnRji1vz3QX9cUKWqfubDJ5MnENFN
=POMA
-----END PGP SIGNATURE-----





Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (Thu, 17 Dec 2009 00:15:03 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Thu, 17 Dec 2009 00:15:03 GMT) Full text and rfc822 format available.

Message #25 received at 526434-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 526434-close@bugs.debian.org
Subject: Bug#526434: fixed in libwmf 0.2.8.4-6+lenny1
Date: Thu, 17 Dec 2009 00:11:43 +0000
Source: libwmf
Source-Version: 0.2.8.4-6+lenny1

We believe that the bug you reported is fixed in the latest version of
libwmf, which is due to be installed in the Debian FTP archive:

libwmf-bin_0.2.8.4-6+lenny1_amd64.deb
  to main/libw/libwmf/libwmf-bin_0.2.8.4-6+lenny1_amd64.deb
libwmf-dev_0.2.8.4-6+lenny1_amd64.deb
  to main/libw/libwmf/libwmf-dev_0.2.8.4-6+lenny1_amd64.deb
libwmf-doc_0.2.8.4-6+lenny1_all.deb
  to main/libw/libwmf/libwmf-doc_0.2.8.4-6+lenny1_all.deb
libwmf0.2-7_0.2.8.4-6+lenny1_amd64.deb
  to main/libw/libwmf/libwmf0.2-7_0.2.8.4-6+lenny1_amd64.deb
libwmf_0.2.8.4-6+lenny1.diff.gz
  to main/libw/libwmf/libwmf_0.2.8.4-6+lenny1.diff.gz
libwmf_0.2.8.4-6+lenny1.dsc
  to main/libw/libwmf/libwmf_0.2.8.4-6+lenny1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 526434@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated libwmf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 05 May 2009 13:28:49 +0000
Source: libwmf
Binary: libwmf0.2-7 libwmf-bin libwmf-dev libwmf-doc
Architecture: source amd64 all
Version: 0.2.8.4-6+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Loic Minier <lool@dooz.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 libwmf-bin - Windows metafile conversion tools
 libwmf-dev - Windows metafile conversion development
 libwmf-doc - Windows metafile documentation
 libwmf0.2-7 - Windows metafile conversion library
Closes: 526434
Changes: 
 libwmf (0.2.8.4-6+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix use-after-free in embedded copy of gd enabling an attacker
     to do DoS attacks or execute arbitrary code via a crafted wmf file
     (CVE-2009-1364; Closes: #526434).
Checksums-Sha1: 
 00a185f6ebce3a8184d47678b675f78e4946b735 1195 libwmf_0.2.8.4-6+lenny1.dsc
 822ab3bd0f5e8f39ad732f2774a8e9f18fc91e89 2169375 libwmf_0.2.8.4.orig.tar.gz
 cb0e21111f18fce513e5bc24c68044fd28bb8824 7894 libwmf_0.2.8.4-6+lenny1.diff.gz
 ec821fbdf8fcefb183bedfbcc08addac39e99616 186908 libwmf0.2-7_0.2.8.4-6+lenny1_amd64.deb
 4bdf745094af2b2603bac0700be3dda79a371c83 18992 libwmf-bin_0.2.8.4-6+lenny1_amd64.deb
 7126fd67c0b2299707eb210ab39e33735fe6f05b 210036 libwmf-dev_0.2.8.4-6+lenny1_amd64.deb
 695b90ec01d1992adb192f88e1a5e23c1ad3da94 285920 libwmf-doc_0.2.8.4-6+lenny1_all.deb
Checksums-Sha256: 
 81f3c4f1223eeaccbaaf9b9cf152f47a6f57e9b4ebadd61e98a1c1436aa13a98 1195 libwmf_0.2.8.4-6+lenny1.dsc
 5b345c69220545d003ad52bfd035d5d6f4f075e65204114a9e875e84895a7cf8 2169375 libwmf_0.2.8.4.orig.tar.gz
 9e5064760bc98c3e11d7e96a241992ef530f8be77a86b37c3ed0cac60a263780 7894 libwmf_0.2.8.4-6+lenny1.diff.gz
 bda2b01a77287dd6e71aaccfacdb4d3a4563300c6f589dbd86c1137aab923d09 186908 libwmf0.2-7_0.2.8.4-6+lenny1_amd64.deb
 cb98b29174971ec17f06c9da63632bbb71ab03ecd6a885e863fa3dcd92c48e52 18992 libwmf-bin_0.2.8.4-6+lenny1_amd64.deb
 c503d0f2167bb895e441ec3671eb3741f7ee98a103ccfc929e4748534de6d92e 210036 libwmf-dev_0.2.8.4-6+lenny1_amd64.deb
 8ba2e7d54caeff3a1ea453e16853f4bc584f806ed9f9e9ef4b761a5bd55a2446 285920 libwmf-doc_0.2.8.4-6+lenny1_all.deb
Files: 
 ca8aa8b0ca3a03408032af1ff3882569 1195 libs optional libwmf_0.2.8.4-6+lenny1.dsc
 d1177739bf1ceb07f57421f0cee191e0 2169375 libs optional libwmf_0.2.8.4.orig.tar.gz
 4f82263c3909e9b63e0cbc7ed10e997d 7894 libs optional libwmf_0.2.8.4-6+lenny1.diff.gz
 79c5cf0608709bb8a8e52547a050e94c 186908 libs optional libwmf0.2-7_0.2.8.4-6+lenny1_amd64.deb
 49529a2273c18658ed927016b33e0ff5 18992 graphics optional libwmf-bin_0.2.8.4-6+lenny1_amd64.deb
 b933a8713fee44409613401692602bc9 210036 libdevel optional libwmf-dev_0.2.8.4-6+lenny1_amd64.deb
 c5388d928771785efcbf9cecb6c589a1 285920 doc optional libwmf-doc_0.2.8.4-6+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkoAQfsACgkQHYflSXNkfP9G8wCffxGd6q7FDmBsK9GuWI/6n3IL
j/cAn3oWmu2iTcac2jSRcTUNpURcQHFj
=VIGa
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 31 Jan 2010 07:33:05 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 05:37:45 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.