Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 139325 - media-libs/libwmf: integer overflow (CVE-2006-3376)
Summary: media-libs/libwmf: integer overflow (CVE-2006-3376)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://frontal2.mandriva.com/security...
Whiteboard: B2 [glsa] Falco
Keywords:
Depends on:
Blocks:
 
Reported: 2006-07-05 08:40 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2008-03-06 09:34 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Temporary fix for 0.2.8.3-r1. (libwmf-0.2.8.3-r1.tmpfix.patch,874 bytes, patch)
2006-07-30 09:25 UTC, Mattias Bengtsson
no flags Details | Diff
Temporary fix for 0.2.8.3-r1. (libwmf-0.2.8.3-r1.tmpfix.patch,977 bytes, patch)
2006-07-30 09:43 UTC, Mattias Bengtsson
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-07-05 08:40:22 UTC
Hi,

libwmf is vulnerable to a integer overflow vuln, leading to the possible execution of arbitrary code by enticing a user to open a malicious WMF file.

This package has no maintainer, no herd.

I CC: antarus@ of the treecleaners team for information.
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-07-05 08:41:12 UTC
in [upstream] status, no action needed, waiting for an official patch or release.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2006-07-29 05:49:28 UTC
There probably won't be any.
Comment 3 Mattias Bengtsson 2006-07-30 09:25:39 UTC
Created attachment 93067 [details, diff]
Temporary fix for 0.2.8.3-r1.
Comment 4 Mattias Bengtsson 2006-07-30 09:41:09 UTC
Comment on attachment 93067 [details, diff]
Temporary fix for 0.2.8.3-r1.

Typo, sorry.
Comment 5 Mattias Bengtsson 2006-07-30 09:43:02 UTC
Created attachment 93069 [details, diff]
Temporary fix for 0.2.8.3-r1.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-02 08:41:24 UTC
Mandriva fixed this issue. Please provide an updated ebuild.

We might need to call for a new maintainer on -dev.
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-03 00:06:55 UTC
maintainer wanted mail sent to -dev.
Comment 8 Enrico 'nekrad' Weigelt 2006-08-03 09:57:42 UTC
I'll have a look at it. 

It first has to go through the whole CSDB/OSS-QM procedure (file crawler, sysroot'ed crossbuilds, pkgconfig'ing, ...).
Comment 9 SpanKY gentoo-dev 2006-08-06 20:40:01 UTC
0.2.8.4 now in portage with fixes
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-07 00:33:28 UTC
Thx Mike.

Arches please test and mark stable.
Comment 11 Alastair Tse (RETIRED) gentoo-dev 2006-08-07 02:51:42 UTC
stable for x86
Comment 12 Markus Rothe (RETIRED) gentoo-dev 2006-08-07 06:28:38 UTC
ppc64 stable
Comment 13 Gustavo Zacarias (RETIRED) gentoo-dev 2006-08-07 07:07:42 UTC
sparc stable.
Comment 14 Luca Barbato gentoo-dev 2006-08-07 09:17:02 UTC
Marked ppc
Comment 15 Scott Stoddard (RETIRED) gentoo-dev 2006-08-07 12:03:42 UTC
stable amd64.
Comment 16 Thomas Cort (RETIRED) gentoo-dev 2006-08-07 17:42:53 UTC
alpha stable.
Comment 17 René Nussbaumer (RETIRED) gentoo-dev 2006-08-08 02:10:24 UTC
stable on hppa
Comment 18 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-10 12:32:30 UTC
GLSA 200608-17

arm, ia64, mips, sh don't forget to mark stable to benifit from the GLSA.
Comment 19 Joshua Kinard gentoo-dev 2006-09-03 21:45:04 UTC
0.2.8.4 stable on mips.
Comment 20 Peter Volkov (RETIRED) gentoo-dev 2008-03-06 09:34:22 UTC
Does not affect current (2008.0) release. Removing release.