Your message dated Wed, 06 May 2009 12:32:08 +0000
with message-id <[email protected]>
and subject line Bug#526434: fixed in libwmf 0.2.8.4-6.1
has caused the Debian Bug report #526434,
regarding CVE-2009-1364 libwmf: embedded gd use-after-free error
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
526434: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526434
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libwmf
Version: 0.2.8.4-6
Severity: serious
Tags: security patch
Hi,
redhat recently patched libwmf.
CVE-2009-1364 is still reserved, but is disclosed in RHSA-2009:0457-1[0]
A pointer use-after-free flaw was found in the GD graphics library embedded
in libwmf. An attacker could create a specially-crafted WMF file that would
cause an application using libwmf to crash or, potentially, execute
arbitrary code as the user running the application when opened by a victim.
(CVE-2009-1364)
Note: This flaw is specific to the GD graphics library embedded in libwmf.
It does not affect the GD graphics library from the "gd" packages, or
applications using it.
Attached the trivial patch to fix this issue, but probably libwmf should not use
embedded gd, system gd should be used instead.
[0]http://rhn.redhat.com/errata/RHSA-2009-0457.html
Cheers,
Giuseppe.
--- src/extra/gd/gd_clip.c.old 2001-03-28 11:37:29.000000000 +0200
+++ src/extra/gd/gd_clip.c 2009-05-01 10:02:04.000000000 +0200
@@ -70,6 +70,7 @@
{ more = gdRealloc (im->clip->list,(im->clip->max + 8) * sizeof
(gdClipRectangle));
if (more == 0) return;
im->clip->max += 8;
+ im->clip->list = more;
}
im->clip->list[im->clip->count] = (*rect);
im->clip->count++;
--- End Message ---
--- Begin Message ---
Source: libwmf
Source-Version: 0.2.8.4-6.1
We believe that the bug you reported is fixed in the latest version of
libwmf, which is due to be installed in the Debian FTP archive:
libwmf-bin_0.2.8.4-6.1_amd64.deb
to pool/main/libw/libwmf/libwmf-bin_0.2.8.4-6.1_amd64.deb
libwmf-dev_0.2.8.4-6.1_amd64.deb
to pool/main/libw/libwmf/libwmf-dev_0.2.8.4-6.1_amd64.deb
libwmf-doc_0.2.8.4-6.1_all.deb
to pool/main/libw/libwmf/libwmf-doc_0.2.8.4-6.1_all.deb
libwmf0.2-7_0.2.8.4-6.1_amd64.deb
to pool/main/libw/libwmf/libwmf0.2-7_0.2.8.4-6.1_amd64.deb
libwmf_0.2.8.4-6.1.diff.gz
to pool/main/libw/libwmf/libwmf_0.2.8.4-6.1.diff.gz
libwmf_0.2.8.4-6.1.dsc
to pool/main/libw/libwmf/libwmf_0.2.8.4-6.1.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Giuseppe Iuculano <[email protected]> (supplier of updated libwmf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 06 May 2009 09:19:49 +0200
Source: libwmf
Binary: libwmf0.2-7 libwmf-bin libwmf-dev libwmf-doc
Architecture: source amd64 all
Version: 0.2.8.4-6.1
Distribution: unstable
Urgency: high
Maintainer: Loic Minier <[email protected]>
Changed-By: Giuseppe Iuculano <[email protected]>
Description:
libwmf-bin - Windows metafile conversion tools
libwmf-dev - Windows metafile conversion development
libwmf-doc - Windows metafile documentation
libwmf0.2-7 - Windows metafile conversion library
Closes: 526434
Changes:
libwmf (0.2.8.4-6.1) unstable; urgency=high
.
* Non-maintainer upload.
* Fixed Use-after-free vulnerability in the embedded GD library
(Closes: #526434) (CVE-2009-1364)
Checksums-Sha1:
56391729e4e628f0010f351ee717b0ef012bcf9d 1175 libwmf_0.2.8.4-6.1.dsc
39d959e88f976ed704a966b0d9591e0c0ffa54f1 7853 libwmf_0.2.8.4-6.1.diff.gz
fec690ed2b465861709feb16e2010b6000c256f2 186392
libwmf0.2-7_0.2.8.4-6.1_amd64.deb
fea814e6d08a65e25c4fa550284c5c32024259b5 19048 libwmf-bin_0.2.8.4-6.1_amd64.deb
7e204d9bb9e5bb2dc605fa6824b0c2e91c4f5fd0 210720
libwmf-dev_0.2.8.4-6.1_amd64.deb
9a01f104b6025cdb21a9b74a8d63a91bfeacef6b 285956 libwmf-doc_0.2.8.4-6.1_all.deb
Checksums-Sha256:
8aa66067ec33aefbc53994ac5e6f8ca16583c8acb88e7b3579539fc975477f3a 1175
libwmf_0.2.8.4-6.1.dsc
7cedf0a0dc25dc6586c9d3ac30e95512056e6d00636c14ec865a309eeee42ec9 7853
libwmf_0.2.8.4-6.1.diff.gz
09c5fa458628e4dd892fc05a53bc13f8b7383009916620e08ee947275e7e2fd5 186392
libwmf0.2-7_0.2.8.4-6.1_amd64.deb
6c758c8cefec6ce8c55ecdc7f17e33c5c4b928c60f10e7db20dc1c030df43c7d 19048
libwmf-bin_0.2.8.4-6.1_amd64.deb
b085c0a0b4f00965a101e3526f0ee534e74c608b3abec2dda71fb497aea35731 210720
libwmf-dev_0.2.8.4-6.1_amd64.deb
6e10c7077cbdc09a5192e2a44e92c76d87fd676aec27ca68b6379053b4d3f717 285956
libwmf-doc_0.2.8.4-6.1_all.deb
Files:
36f886ec765b92e8498e6c1f597dda51 1175 libs optional libwmf_0.2.8.4-6.1.dsc
148c2791f1fd89991c3354bf89e847fc 7853 libs optional libwmf_0.2.8.4-6.1.diff.gz
0cbee925c5397ec10a41e31cc5c28cbd 186392 libs optional
libwmf0.2-7_0.2.8.4-6.1_amd64.deb
1caa89daebf5d8eb68cbb24d1d706874 19048 graphics optional
libwmf-bin_0.2.8.4-6.1_amd64.deb
d7f32f0d7a42c7fbec6aca9309b469e6 210720 libdevel optional
libwmf-dev_0.2.8.4-6.1_amd64.deb
6d4c151ae43eb25635a23339776789e3 285956 doc optional
libwmf-doc_0.2.8.4-6.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoBgaQACgkQHYflSXNkfP//SwCbBddMFob+LLrVMptGwN5/mwBy
LB8AnRji1vz3QX9cUKWqfubDJ5MnENFN
=POMA
-----END PGP SIGNATURE-----
--- End Message ---