Giuseppe Iuculano
2009-May-01 08:18 UTC
[Secure-testing-team] Bug#526434: CVE-2009-1364 libwmf: embedded gd use-after-free error
Package: libwmf Version: 0.2.8.4-6 Severity: serious Tags: security patch Hi, redhat recently patched libwmf. CVE-2009-1364 is still reserved, but is disclosed in RHSA-2009:0457-1[0] A pointer use-after-free flaw was found in the GD graphics library embedded in libwmf. An attacker could create a specially-crafted WMF file that would cause an application using libwmf to crash or, potentially, execute arbitrary code as the user running the application when opened by a victim. (CVE-2009-1364) Note: This flaw is specific to the GD graphics library embedded in libwmf. It does not affect the GD graphics library from the "gd" packages, or applications using it. Attached the trivial patch to fix this issue, but probably libwmf should not use embedded gd, system gd should be used instead. [0]http://rhn.redhat.com/errata/RHSA-2009-0457.html Cheers, Giuseppe. -------------- next part -------------- --- src/extra/gd/gd_clip.c.old 2001-03-28 11:37:29.000000000 +0200 +++ src/extra/gd/gd_clip.c 2009-05-01 10:02:04.000000000 +0200 @@ -70,6 +70,7 @@ { more = gdRealloc (im->clip->list,(im->clip->max + 8) * sizeof (gdClipRectangle)); if (more == 0) return; im->clip->max += 8; + im->clip->list = more; } im->clip->list[im->clip->count] = (*rect); im->clip->count++;