Discover Government News

Arch Linux Security Advisory ASA-201701-1
========================================
Severity: Critical
Date    : 2017-01-01
CVE-ID  : CVE-2006-3376 CVE-2007-0455 CVE-2007-2756 CVE-2007-3472
          CVE-2007-3473 CVE-2007-3477 CVE-2009-1364 CVE-2009-3546
          CVE-2015-0848 CVE-2015-4588 CVE-2015-4695 CVE-2015-4696
          CVE-2016-9011
Package : libwmf
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-16

Summary
======
The package libwmf before version 0.2.8.4-14 is vulnerable to multiple
issues including arbitrary code execution and denial of service.

Resolution
=========
Upgrade to 0.2.8.4-14.

# pacman -Syu "libwmf>=0.2.8.4-14"

The problems have been fixed upstream but no release is available yet.

Workaround
=========
None.

Description
==========
- CVE-2006-3376 (arbitrary code execution)

Integer overflow in player.c in libwmf 0.2.8.4, as used in multiple
products including (1) wv, (2) abiword, (3) freetype, (4) gimp, (5)
libgsf, and (6) imagemagick allows remote attackers to execute
arbitrary code via the MaxRecordSize header field in a WMF file.

- CVE-2007-0455 (arbitrary code execution)

Buffer overflow in the gdImageStringFTEx function in gdft.c in GD
Graphics Library 2.0.33 and earlier allows remote attackers to cause a
denial of service (application crash) and possibly execute arbitrary
code via a crafted string with a JIS encoded font.

- CVE-2007-2756 (denial of service)

The gdPngReadData function in libgd 2.0.34 allows user-assisted
attackers to cause a denial of service (CPU consumption) via a crafted
PNG image with truncated data, which causes an infinite loop in the
png_read_info function in libpng.

- CVE-2007-3472 (denial of service)

Integer overflow in gdImageCreateTrueColor function in the GD Graphics
Library (libgd) before 2.0.35 allows user-assisted remote attackers to
have unspecified attack vectors and impact.

- CVE-2007-3473 (denial of service)

The gdImageCreateXbm function in the GD Graphics Library (libgd) before
2.0.35 allows user-assisted remote attackers to cause a denial of
service (crash) via unspecified vectors involving a gdImageCreate
failure.

- CVE-2007-3477 (denial of service)

The (a) imagearc and (b) imagefilledarc functions in GD Graphics
Library (libgd) before 2.0.35 allow attackers to cause a denial of
service (CPU consumption) via a large (1) start or (2) end angle degree
value.

- CVE-2009-1364 (arbitrary code execution)

Use-after-free vulnerability in the embedded GD library in libwmf
0.2.8.4 allows context-dependent attackers to cause a denial of service
(application crash) or possibly execute arbitrary code via a crafted
WMF file.

- CVE-2009-3546 (arbitrary code execution)

The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before
5.3.1, and the GD Graphics Library 2.x, does not properly verify a
certain colorsTotal structure member, which might allow remote
attackers to conduct buffer overflow or buffer over-read attacks via a
crafted GD file.

- CVE-2015-0848 (arbitrary code execution)

It was discovered that libwmf did not correctly process certain WMF
(Windows Metafiles) containing BMP images. By tricking a victim into
opening a specially crafted WMF file in an application using libwmf, a
remote attacker could possibly use this flaw to execute arbitrary code
with the privileges of the user running the application.

- CVE-2015-4588 (arbitrary code execution)

It was discovered that libwmf did not correctly process certain WMF
(Windows Metafiles) with embedded BMP images. By tricking a victim into
opening a specially crafted WMF file in an application using libwmf, a
remote attacker could possibly use this flaw to execute arbitrary code
with the privileges of the user running the application.

- CVE-2015-4695 (arbitrary code execution)

It was discovered that libwmf did not properly process certain WMF
files. By tricking a victim into opening a specially crafted WMF file
in an application using libwmf, a remote attacker could possibly
exploit this flaw to cause a crash or execute arbitrary code with the
privileges of the user running the application.

- CVE-2015-4696 (arbitrary code execution)

It was discovered that libwmf did not properly process certain WMF
files. By tricking a victim into opening a specially crafted WMF file
in an application using libwmf, a remote attacker could possibly
exploit this flaw to cause a crash or execute arbitrary code with the
privileges of the user running the application.

- CVE-2016-9011 (denial of service)

A memory allocation failure in function wmf_malloc in api.c was
reported in libwmf. Opening a maliciously crafted file could cause the
application to crash.

Impact
=====
A remote attacker is able to use specially crafted files to crash the
application or execute arbitrary code on the affected host.

References
=========
https://bugs.archlinux.org/task/49162
https://www.openwall.com/lists/oss-security/2015/06/16/4
https://blogs.gentoo.org/ago/2016/10/18/libwmf-memory-allocation-failure-in-wmf_malloc-api-c/
https://security.archlinux.org/CVE-2006-3376
https://security.archlinux.org/CVE-2007-0455
https://security.archlinux.org/CVE-2007-2756
https://security.archlinux.org/CVE-2007-3472
https://security.archlinux.org/CVE-2007-3473
https://security.archlinux.org/CVE-2007-3477
https://security.archlinux.org/CVE-2009-1364
https://security.archlinux.org/CVE-2009-3546
https://security.archlinux.org/CVE-2015-0848
https://security.archlinux.org/CVE-2015-4588
https://security.archlinux.org/CVE-2015-4695
https://security.archlinux.org/CVE-2015-4696
https://security.archlinux.org/CVE-2016-9011

ArchLinux: 201701-1: libwmf: multiple issues

January 1, 2017

Summary

- CVE-2006-3376 (arbitrary code execution) Integer overflow in player.c in libwmf 0.2.8.4, as used in multiple products including (1) wv, (2) abiword, (3) freetype, (4) gimp, (5) libgsf, and (6) imagemagick allows remote attackers to execute arbitrary code via the MaxRecordSize header field in a WMF file.
- CVE-2007-0455 (arbitrary code execution)
Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font.
- CVE-2007-2756 (denial of service)
The gdPngReadData function in libgd 2.0.34 allows user-assisted attackers to cause a denial of service (CPU consumption) via a crafted PNG image with truncated data, which causes an infinite loop in the png_read_info function in libpng.
- CVE-2007-3472 (denial of service)
Integer overflow in gdImageCreateTrueColor function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to have unspecified attack vectors and impact.
- CVE-2007-3473 (denial of service)
The gdImageCreateXbm function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via unspecified vectors involving a gdImageCreate failure.
- CVE-2007-3477 (denial of service)
The (a) imagearc and (b) imagefilledarc functions in GD Graphics Library (libgd) before 2.0.35 allow attackers to cause a denial of service (CPU consumption) via a large (1) start or (2) end angle degree value.
- CVE-2009-1364 (arbitrary code execution)
Use-after-free vulnerability in the embedded GD library in libwmf 0.2.8.4 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted WMF file.
- CVE-2009-3546 (arbitrary code execution)
The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5.3.1, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file.
- CVE-2015-0848 (arbitrary code execution)
It was discovered that libwmf did not correctly process certain WMF (Windows Metafiles) containing BMP images. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the application.
- CVE-2015-4588 (arbitrary code execution)
It was discovered that libwmf did not correctly process certain WMF (Windows Metafiles) with embedded BMP images. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the application.
- CVE-2015-4695 (arbitrary code execution)
It was discovered that libwmf did not properly process certain WMF files. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly exploit this flaw to cause a crash or execute arbitrary code with the privileges of the user running the application.
- CVE-2015-4696 (arbitrary code execution)
It was discovered that libwmf did not properly process certain WMF files. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly exploit this flaw to cause a crash or execute arbitrary code with the privileges of the user running the application.
- CVE-2016-9011 (denial of service)
A memory allocation failure in function wmf_malloc in api.c was reported in libwmf. Opening a maliciously crafted file could cause the application to crash.

Resolution

Upgrade to 0.2.8.4-14. # pacman -Syu "libwmf>=0.2.8.4-14"
The problems have been fixed upstream but no release is available yet.

References

https://bugs.archlinux.org/task/49162 https://www.openwall.com/lists/oss-security/2015/06/16/4 https://blogs.gentoo.org/ago/2016/10/18/libwmf-memory-allocation-failure-in-wmf_malloc-api-c/ https://security.archlinux.org/CVE-2006-3376 https://security.archlinux.org/CVE-2007-0455 https://security.archlinux.org/CVE-2007-2756 https://security.archlinux.org/CVE-2007-3472 https://security.archlinux.org/CVE-2007-3473 https://security.archlinux.org/CVE-2007-3477 https://security.archlinux.org/CVE-2009-1364 https://security.archlinux.org/CVE-2009-3546 https://security.archlinux.org/CVE-2015-0848 https://security.archlinux.org/CVE-2015-4588 https://security.archlinux.org/CVE-2015-4695 https://security.archlinux.org/CVE-2015-4696 https://security.archlinux.org/CVE-2016-9011

Severity
CVE-2007-3473 CVE-2007-3477 CVE-2009-1364 CVE-2009-3546
CVE-2015-0848 CVE-2015-4588 CVE-2015-4695 CVE-2015-4696
CVE-2016-9011
Package : libwmf
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-16

Workaround

None.

Related News