Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 268161 (CVE-2009-1364) - <media-libs/libwmf-0.2.8.4-r3 Use-after-free in embedded GD (CVE-2009-1364)
Summary: <media-libs/libwmf-0.2.8.4-r3 Use-after-free in embedded GD (CVE-2009-1364)
Status: RESOLVED FIXED
Alias: CVE-2009-1364
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: https://launchpad.net/bugs/cve/2009-1364
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-05-01 20:06 UTC by Alex Legler (RETIRED)
Modified: 2009-07-02 19:37 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
CVE-2009-1364.patch (CVE-2009-1364.patch,379 bytes, patch)
2009-05-01 20:08 UTC, Alex Legler (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-01 20:06:34 UTC
CVE-2009-1364 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1364):
  Use-after-free vulnerability in the embedded GD library in libwmf
  0.2.8.4 allows context-dependent attackers to cause a denial of
  service (application crash) or possibly execute arbitrary code via a
  crafted WMF file.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-01 20:08:28 UTC
Created attachment 190066 [details, diff]
CVE-2009-1364.patch

That GD copy should be removed.

If that should take too long, I'm adding the patch found in Debian's bugtracker.
Comment 2 Peter Alfredsen (RETIRED) gentoo-dev 2009-05-10 23:57:16 UTC
Since perusal of the sources indicate that use of the internal gd seems to offer little benefit, I just dropped the gd use-flag, since libwmf seems unmaintained and maintaining an internal copy in this package is unattractive. Gd is no longer built. 

+*libwmf-0.2.8.4-r3 (10 May 2009)
+
+  10 May 2009; Peter Alfredsen <loki_val@gentoo.org>
+  +libwmf-0.2.8.4-r3.ebuild, +files/libwmf-0.2.8.4-pngfix.patch:
+  Drop use of internal gd w.r.t. bug 268161. Add fix for bug 269324, include
+  order bug, possibly triggered by gcc-4.4.0.
+
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-05-11 14:19:59 UTC
Arches, please test and mark stable:
=media-libs/libwmf-0.2.8.4-r3
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2009-05-11 21:43:09 UTC
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2009-05-12 04:21:32 UTC
Stable for HPPA.
Comment 6 Ferris McCormick (RETIRED) gentoo-dev 2009-05-12 13:35:17 UTC
Sparc stable.
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2009-05-12 17:47:29 UTC
alpha/arm/ia64/s390/sh stable
Comment 8 Markus Meier gentoo-dev 2009-05-13 18:21:59 UTC
amd64 stable
Comment 9 Brent Baude (RETIRED) gentoo-dev 2009-05-18 18:54:26 UTC
ppc64 done
Comment 10 Brent Baude (RETIRED) gentoo-dev 2009-05-18 18:54:32 UTC
ppc done
Comment 11 Tobias Heinlein (RETIRED) gentoo-dev 2009-05-22 17:28:52 UTC
GLSA request filed.
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2009-06-28 22:30:46 UTC
(In reply to comment #2)
> Since perusal of the sources indicate that use of the internal gd seems to
> offer little benefit, I just dropped the gd use-flag, since libwmf seems
> unmaintained and maintaining an internal copy in this package is unattractive.
> Gd is no longer built. 

Does this mean that libwmf does not have any gd support at all now, not even with the system gd, or does it build against the system gd? The situation is currently unclear to me and the GLSA draft says "All libwmf users should upgrade to the latest version, which now builds against a current version from portage". Is this correct?
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2009-06-29 15:53:38 UTC
It does not build the internal copy and does not link against the system copy:

$ diff -u libwmf-0.2.8.4-r2.ebuild libwmf-0.2.8.4-r3.ebuild
--- libwmf-0.2.8.4-r2.ebuild    2009-03-06 06:18:15.000000000 +0100
+++ libwmf-0.2.8.4-r3.ebuild    2009-05-25 21:05:12.000000000 +0200
...
-IUSE="X expat xml debug doc gtk gd"
+IUSE="X expat xml debug doc gtk"

 RDEPEND="virtual/ghostscript
        xml? ( !expat? ( dev-libs/libxml2 ) )
        expat? ( dev-libs/expat )
-       gd? ( media-libs/gd )
        >=media-libs/freetype-2.0.1
        sys-libs/zlib
        media-libs/libpng
...
@@ -65,10 +65,13 @@
                myconf="${myconf} $(use_with expat) $(use_with xml libxml2)"
        fi

+       # NOTE: The gd that is included is gd-2.0.0. Even with --with-sys-gd, that gd is built
+       # and included in libwmf. Since nothing in-tree seems to use media-libs/libwmf[gd],
+       # we're explicitly disabling gd use w.r.t. bug 268161
        econf \
                $(use_enable debug) \
                $(use_with X x) \
-               $(use_enable gd) \
+               --disable-gd \
                --with-sys-gd \
                ${myconf} \
                --with-gsfontdir=/usr/share/ghostscript/fonts \


$ ./configure --help | grep gd
  --disable-gd            don't build GD, don't look for it, don't require it
  --with-sys-gd=DIR       use system GD in DIR (if compatible)

$ ldd /var/tmp/portage/media-libs/libwmf-0.2.8.4-r3/image/usr/lib64/libwmf.so
        linux-vdso.so.1 =>  (0x00007fff4bbfe000)
        libwmflite-0.2.so.7 => /usr/lib/libwmflite-0.2.so.7 (0x00007f724364a000)
        libfreetype.so.6 => /usr/lib/libfreetype.so.6 (0x00007f72433b1000)
        libX11.so.6 => /usr/lib/libX11.so.6 (0x00007f72430a2000)
        libxml2.so.2 => /usr/lib/libxml2.so.2 (0x00007f7242d43000)
        libpng12.so.0 => /usr/lib/libpng12.so.0 (0x00007f7242b1c000)
        libz.so.1 => /lib/libz.so.1 (0x00007f7242905000)
        libm.so.6 => /lib/libm.so.6 (0x00007f7242681000)
        libc.so.6 => /lib/libc.so.6 (0x00007f7242310000)
        libxcb-xlib.so.0 => /usr/lib/libxcb-xlib.so.0 (0x00007f724210c000)
        libxcb.so.1 => /usr/lib/libxcb.so.1 (0x00007f7241eee000)
        libdl.so.2 => /lib/libdl.so.2 (0x00007f7241cea000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f7243aba000)
        libXau.so.6 => /usr/lib/libXau.so.6 (0x00007f7241ae6000)
        libXdmcp.so.6 => /usr/lib/libXdmcp.so.6 (0x00007f72418e0000)
Comment 14 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-02 19:37:21 UTC
GLSA 200907-01