Bug 933109 - (CVE-2015-0848) VUL-1: CVE-2015-0848,CVE-2015-4588: libwmf: CVE-2015-0848 - Heap overflow on libwmf0.2-7
(CVE-2015-0848)
VUL-1: CVE-2015-0848,CVE-2015-4588: libwmf: CVE-2015-0848 - Heap overflow on ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Fridrich Strba
Security Team bot
https://smash.suse.de/issue/117239/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-06-01 15:54 UTC by Andreas Stieger
Modified: 2016-03-10 10:02 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
reproducer (1.54 KB, application/gzip)
2015-06-01 15:54 UTC, Andreas Stieger
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-06-01 15:54:24 UTC
Created attachment 636215 [details]
reproducer

Via oss-sec http://seclists.org/oss-sec/2015/q2/597

libwmf is affected by a heap overflow on the function that decodes BMP images.

WMF files may contain both vector graphics and bitmap components. With
the attached WMF file, the issue can be reproduced, an overflow
happens because image_size gets a value of 32, that space is used to
allocate data->image

src/ipa/ipa/bmp.h, function ReadBMPImage:

1129    image_size = bytes_per_line * bmp->height;
1131    data->image = (unsigned char*) wmf_malloc (API,image_size);
1147        DecodeImage (API,bmp,src,(unsigned int)
bmp_info.compression,data->image);

Inside DecodeImage we have:

DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int
compression,unsigned char* pixels)

874     for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++)
pixels[u] = 0;

But bmp->width * bmp->height has a value of 64, and a write out of
bounds takes place.

$ wmf2svg --wmf-fontdir=/usr/share/fonts/type1/gsfonts bmpoverflow.wmf
<partial svg output>
*** Error in `wmf2svg': free(): invalid next size (fast): 0x091584b8 ***

ASAN enabled libwmf/wmf2svg shows the problem:

$ ./src/convert/wmf2svg --wmf-fontdir=/usr/share/fonts/type1/gsfonts
bmpoverflow.wmf
<partial svg output>
==3400==ERROR: AddressSanitizer: heap-buffer-overflow on address
0xb5c268b0 at pc 0x807093e bp 0xbfc3cee8 sp 0xbfc3ced8
WRITE of size 1 at 0xb5c268b0 thread T0
    #0 0x807093d in DecodeImage ../../src/ipa/ipa/bmp.h:874
    #1 0x807093d in ReadBMPImage ../../src/ipa/ipa/bmp.h:1147
    #2 0x807093d in wmf_ipa_bmp_read ../../src/ipa/ipa/bmp.h:477
    #3 0x815f013 in meta_dib_brush player/meta.h:2187
    #4 0x815f013 in WmfPlayMetaFile
/home/fmunozs/wmf/libwmf-0.2.8.4/src/player.c:922
    #5 0x81a5ff5 in wmf_play /home/fmunozs/wmf/libwmf-0.2.8.4/src/player.c:323
    #6 0x804c583 in wmf2svg_draw
/home/fmunozs/wmf/libwmf-0.2.8.4/src/convert/wmf2svg.c:208
    #7 0x804f2c5 in wmf2svg_file
/home/fmunozs/wmf/libwmf-0.2.8.4/src/convert/wmf2svg.c:439
    #8 0x804ad78 in main
/home/fmunozs/wmf/libwmf-0.2.8.4/src/convert/wmf2svg.c:458
    #9 0xb6efc72d in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1872d)
    #10 0x804b46e
(/home/fmunozs/wmf/libwmf-0.2.8.4/src/convert/wmf2svg+0x804b46e)

0xb5c268b0 is located 0 bytes to the right of 32-byte region
[0xb5c26890,0xb5c268b0)
allocated by thread T0 here:
    #0 0xb72d718c in __interceptor_malloc
(/usr/lib/i386-linux-gnu/libasan.so.1+0x5118c)
    #1 0x80d74a8 in wmf_malloc /home/fmunozs/wmf/libwmf-0.2.8.4/src/api.c:482

This causes a Denial of Service, or could cause code execution since
the DecodeImage writes the data of the run-length decoded image to
data->image.

The attached file was fuzzed with lcamtuf's afl fuzzer.
===========



No patch available just now.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0848
http://seclists.org/oss-sec/2015/q2/597
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0848
Comment 2 Swamp Workflow Management 2015-06-01 22:00:36 UTC
bugbot adjusting priority
Comment 3 Andreas Stieger 2015-06-10 10:06:55 UTC
RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1227243
Untested fix 1 at RH: https://bugzilla.redhat.com/attachment.cgi?id=1033697

Add-on from http://seclists.org/oss-sec/2015/q2/617

> There's another issue related to the RLE decoding. DecodeImage() does
> not check that the run-length "count" fits into the total size of the
> image, which can lead to a heap-based buffer overflow. I've not
> assigned a CVE ID to this (mainly because I'm not sure if this
> warrants a new CVE or should be bundled with CVE-2015-0848, so I leave
> that up to the CVE experts on the list).

Untested fix 2 at RH: https://bugzilla.redhat.com/attachment.cgi?id=1034253
Comment 4 Bernhard Wiedemann 2015-06-11 08:00:09 UTC
This is an autogenerated message for OBS integration:
This bug (933109) was mentioned in
https://build.opensuse.org/request/show/311550 Factory / libwmf
https://build.opensuse.org/request/show/311551 13.1 / libwmf
https://build.opensuse.org/request/show/311552 13.2 / libwmf
Comment 6 Andreas Stieger 2015-06-16 10:08:11 UTC
http://seclists.org/oss-sec/2015/q2/719

>     here's another issue related to the RLE decoding. DecodeImage() does
>     not check that the run-length "count" fits into the total size of the
>     image, which can lead to a heap-based buffer overflow. I've not
>     assigned a CVE ID to this (mainly because I'm not sure if this
>     warrants a new CVE or should be bundled with CVE-2015-0848

Use CVE-2015-4588 for this new issue. (The two issues were disclosed
at different times by different persons. CVE-2015-0848 is about a
missing bits-per-pixel factor in a calculation. CVE-2015-4588 is about
a loop that can proceed past the end of its output array.)


This should be added to libwmf-0.2.8.4-badrle.patch in the changelog.
Comment 8 Fridrich Strba 2015-06-16 11:01:24 UTC
(In reply to Andreas Stieger from comment #6)
> Use CVE-2015-4588 for this new issue. (The two issues were disclosed
> at different times by different persons. CVE-2015-0848 is about a
> missing bits-per-pixel factor in a calculation. CVE-2015-4588 is about
> a loop that can proceed past the end of its output array.)
> This should be added to libwmf-0.2.8.4-badrle.patch in the changelog.

Done and resubmitted as the previous notification already said.
Comment 10 Swamp Workflow Management 2015-06-24 13:05:29 UTC
openSUSE-SU-2015:1132-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 933109
CVE References: CVE-2015-0848,CVE-2015-4588
Sources used:
openSUSE 13.2 (src):    libwmf-0.2.8.4-239.4.1
Comment 11 Swamp Workflow Management 2015-06-24 13:06:31 UTC
openSUSE-SU-2015:1134-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 495842,831299,892356,933109
CVE References: CVE-2009-1364,CVE-2015-0848,CVE-2015-4588
Sources used:
openSUSE 13.1 (src):    libwmf-0.2.8.4-234.4.1
Comment 12 Swamp Workflow Management 2015-06-30 08:25:29 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-07-14.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62147
Comment 13 Swamp Workflow Management 2015-07-09 09:08:36 UTC
openSUSE-SU-2015:1212-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 933109,936058,936062
CVE References: CVE-2015-0848,CVE-2015-4588,CVE-2015-4695,CVE-2015-4696
Sources used:
openSUSE 13.2 (src):    libwmf-0.2.8.4-239.7.1
openSUSE 13.1 (src):    libwmf-0.2.8.4-234.7.1
Comment 14 Swamp Workflow Management 2015-08-13 11:10:35 UTC
SUSE-SU-2015:1378-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 831299,933109,936058,936062
CVE References: CVE-2015-0848,CVE-2015-4588,CVE-2015-4695,CVE-2015-4696
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    libwmf-0.2.8.4-206.29.29.1
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    libwmf-0.2.8.4-206.29.29.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    libwmf-0.2.8.4-206.29.29.1
SUSE Linux Enterprise Desktop 11-SP3 (src):    libwmf-0.2.8.4-206.29.29.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    libwmf-0.2.8.4-206.29.29.1
Comment 17 Marcus Meissner 2015-09-03 11:11:47 UTC
released
Comment 18 Swamp Workflow Management 2015-09-03 12:10:08 UTC
SUSE-SU-2015:1484-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 495842,831299,933109,936058,936062
CVE References: CVE-2009-1364,CVE-2015-0848,CVE-2015-4588,CVE-2015-4695,CVE-2015-4696
Sources used:
SUSE Linux Enterprise Workstation Extension 12 (src):    libwmf-0.2.8.4-242.3
SUSE Linux Enterprise Software Development Kit 12 (src):    libwmf-0.2.8.4-242.3
SUSE Linux Enterprise Desktop 12 (src):    libwmf-0.2.8.4-242.3