[arch-security] [ASA-201701-1] libwmf: multiple issues

Levente Polyak anthraxx at archlinux.org
Sun Jan 1 19:43:08 UTC 2017 

Arch Linux Security Advisory ASA-201701-1
=========================================

Severity: Critical
Date    : 2017-01-01
CVE-ID  : CVE-2006-3376 CVE-2007-0455 CVE-2007-2756 CVE-2007-3472
          CVE-2007-3473 CVE-2007-3477 CVE-2009-1364 CVE-2009-3546
          CVE-2015-0848 CVE-2015-4588 CVE-2015-4695 CVE-2015-4696
          CVE-2016-9011
Package : libwmf
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-16

Summary
=======

The package libwmf before version 0.2.8.4-14 is vulnerable to multiple
issues including arbitrary code execution and denial of service.

Resolution
==========

Upgrade to 0.2.8.4-14.

# pacman -Syu "libwmf>=0.2.8.4-14"

The problems have been fixed upstream but no release is available yet.

Workaround
==========

None.

Description
===========

- CVE-2006-3376 (arbitrary code execution)

Integer overflow in player.c in libwmf 0.2.8.4, as used in multiple
products including (1) wv, (2) abiword, (3) freetype, (4) gimp, (5)
libgsf, and (6) imagemagick allows remote attackers to execute
arbitrary code via the MaxRecordSize header field in a WMF file.

- CVE-2007-0455 (arbitrary code execution)

Buffer overflow in the gdImageStringFTEx function in gdft.c in GD
Graphics Library 2.0.33 and earlier allows remote attackers to cause a
denial of service (application crash) and possibly execute arbitrary
code via a crafted string with a JIS encoded font.

- CVE-2007-2756 (denial of service)

The gdPngReadData function in libgd 2.0.34 allows user-assisted
attackers to cause a denial of service (CPU consumption) via a crafted
PNG image with truncated data, which causes an infinite loop in the
png_read_info function in libpng.

- CVE-2007-3472 (denial of service)

Integer overflow in gdImageCreateTrueColor function in the GD Graphics
Library (libgd) before 2.0.35 allows user-assisted remote attackers to
have unspecified attack vectors and impact.

- CVE-2007-3473 (denial of service)

The gdImageCreateXbm function in the GD Graphics Library (libgd) before
2.0.35 allows user-assisted remote attackers to cause a denial of
service (crash) via unspecified vectors involving a gdImageCreate
failure.

- CVE-2007-3477 (denial of service)

The (a) imagearc and (b) imagefilledarc functions in GD Graphics
Library (libgd) before 2.0.35 allow attackers to cause a denial of
service (CPU consumption) via a large (1) start or (2) end angle degree
value.

- CVE-2009-1364 (arbitrary code execution)

Use-after-free vulnerability in the embedded GD library in libwmf
0.2.8.4 allows context-dependent attackers to cause a denial of service
(application crash) or possibly execute arbitrary code via a crafted
WMF file.

- CVE-2009-3546 (arbitrary code execution)

The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before
5.3.1, and the GD Graphics Library 2.x, does not properly verify a
certain colorsTotal structure member, which might allow remote
attackers to conduct buffer overflow or buffer over-read attacks via a
crafted GD file.

- CVE-2015-0848 (arbitrary code execution)

It was discovered that libwmf did not correctly process certain WMF
(Windows Metafiles) containing BMP images. By tricking a victim into
opening a specially crafted WMF file in an application using libwmf, a
remote attacker could possibly use this flaw to execute arbitrary code
with the privileges of the user running the application.

- CVE-2015-4588 (arbitrary code execution)

It was discovered that libwmf did not correctly process certain WMF
(Windows Metafiles) with embedded BMP images. By tricking a victim into
opening a specially crafted WMF file in an application using libwmf, a
remote attacker could possibly use this flaw to execute arbitrary code
with the privileges of the user running the application.

- CVE-2015-4695 (arbitrary code execution)

It was discovered that libwmf did not properly process certain WMF
files. By tricking a victim into opening a specially crafted WMF file
in an application using libwmf, a remote attacker could possibly
exploit this flaw to cause a crash or execute arbitrary code with the
privileges of the user running the application.

- CVE-2015-4696 (arbitrary code execution)

It was discovered that libwmf did not properly process certain WMF
files. By tricking a victim into opening a specially crafted WMF file
in an application using libwmf, a remote attacker could possibly
exploit this flaw to cause a crash or execute arbitrary code with the
privileges of the user running the application.

- CVE-2016-9011 (denial of service)

A memory allocation failure in function wmf_malloc in api.c was
reported in libwmf. Opening a maliciously crafted file could cause the
application to crash.

Impact
======

A remote attacker is able to use specially crafted files to crash the
application or execute arbitrary code on the affected host.

References
==========

https://bugs.archlinux.org/task/49162
http://www.openwall.com/lists/oss-security/2015/06/16/4
https://blogs.gentoo.org/ago/2016/10/18/libwmf-memory-allocation-failure-in-wmf_malloc-api-c
https://security.archlinux.org/CVE-2006-3376
https://security.archlinux.org/CVE-2007-0455
https://security.archlinux.org/CVE-2007-2756
https://security.archlinux.org/CVE-2007-3472
https://security.archlinux.org/CVE-2007-3473
https://security.archlinux.org/CVE-2007-3477
https://security.archlinux.org/CVE-2009-1364
https://security.archlinux.org/CVE-2009-3546
https://security.archlinux.org/CVE-2015-0848
https://security.archlinux.org/CVE-2015-4588
https://security.archlinux.org/CVE-2015-4695
https://security.archlinux.org/CVE-2015-4696
https://security.archlinux.org/CVE-2016-9011

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20170101/0f3cf9f8/attachment.asc>

More information about the arch-security mailing list