Subject: [ASA-201701-1] libwmf: multiple issues Arch Linux Security Advisory ASA-201701-1 ========================================= Severity: Critical Date : 2017-01-01 CVE-ID : CVE-2006-3376 CVE-2007-0455 CVE-2007-2756 CVE-2007-3472 CVE-2007-3473 CVE-2007-3477 CVE-2009-1364 CVE-2009-3546 CVE-2015-0848 CVE-2015-4588 CVE-2015-4695 CVE-2015-4696 CVE-2016-9011 Package : libwmf Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-16 Summary ======= The package libwmf before version 0.2.8.4-14 is vulnerable to multiple issues including arbitrary code execution and denial of service. Resolution ========== Upgrade to 0.2.8.4-14. # pacman -Syu "libwmf>=0.2.8.4-14" The problems have been fixed upstream but no release is available yet. Workaround ========== None. Description =========== - CVE-2006-3376 (arbitrary code execution) Integer overflow in player.c in libwmf 0.2.8.4, as used in multiple products including (1) wv, (2) abiword, (3) freetype, (4) gimp, (5) libgsf, and (6) imagemagick allows remote attackers to execute arbitrary code via the MaxRecordSize header field in a WMF file. - CVE-2007-0455 (arbitrary code execution) Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font. - CVE-2007-2756 (denial of service) The gdPngReadData function in libgd 2.0.34 allows user-assisted attackers to cause a denial of service (CPU consumption) via a crafted PNG image with truncated data, which causes an infinite loop in the png_read_info function in libpng. - CVE-2007-3472 (denial of service) Integer overflow in gdImageCreateTrueColor function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to have unspecified attack vectors and impact. - CVE-2007-3473 (denial of service) The gdImageCreateXbm function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via unspecified vectors involving a gdImageCreate failure. - CVE-2007-3477 (denial of service) The (a) imagearc and (b) imagefilledarc functions in GD Graphics Library (libgd) before 2.0.35 allow attackers to cause a denial of service (CPU consumption) via a large (1) start or (2) end angle degree value. - CVE-2009-1364 (arbitrary code execution) Use-after-free vulnerability in the embedded GD library in libwmf 0.2.8.4 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted WMF file. - CVE-2009-3546 (arbitrary code execution) The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5.3.1, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file. - CVE-2015-0848 (arbitrary code execution) It was discovered that libwmf did not correctly process certain WMF (Windows Metafiles) containing BMP images. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the application. - CVE-2015-4588 (arbitrary code execution) It was discovered that libwmf did not correctly process certain WMF (Windows Metafiles) with embedded BMP images. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the application. - CVE-2015-4695 (arbitrary code execution) It was discovered that libwmf did not properly process certain WMF files. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly exploit this flaw to cause a crash or execute arbitrary code with the privileges of the user running the application. - CVE-2015-4696 (arbitrary code execution) It was discovered that libwmf did not properly process certain WMF files. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly exploit this flaw to cause a crash or execute arbitrary code with the privileges of the user running the application. - CVE-2016-9011 (denial of service) A memory allocation failure in function wmf_malloc in api.c was reported in libwmf. Opening a maliciously crafted file could cause the application to crash. Impact ====== A remote attacker is able to use specially crafted files to crash the application or execute arbitrary code on the affected host. References ========== https://bugs.archlinux.org/task/49162 http://www.openwall.com/lists/oss-security/2015/06/16/4 https://blogs.gentoo.org/ago/2016/10/18/libwmf-memory-allocation-failure-in-wmf_malloc-api-c https://security.archlinux.org/CVE-2006-3376 https://security.archlinux.org/CVE-2007-0455 https://security.archlinux.org/CVE-2007-2756 https://security.archlinux.org/CVE-2007-3472 https://security.archlinux.org/CVE-2007-3473 https://security.archlinux.org/CVE-2007-3477 https://security.archlinux.org/CVE-2009-1364 https://security.archlinux.org/CVE-2009-3546 https://security.archlinux.org/CVE-2015-0848 https://security.archlinux.org/CVE-2015-4588 https://security.archlinux.org/CVE-2015-4695 https://security.archlinux.org/CVE-2015-4696 https://security.archlinux.org/CVE-2016-9011